Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
| Dependency | CPE | GAV | Highest Severity | CVE Count | CPE Confidence | Evidence Count |
|---|---|---|---|---|---|---|
| saiku-olap-util-3.17.jar | org.saikuanalytics:saiku-olap-util:3.17 | 0 | 11 | |||
| saiku-service-3.17.jar | org.saikuanalytics:saiku-service:3.17 | 0 | 11 | |||
| saiku-web-3.17.jar | org.saikuanalytics:saiku-web:3.17 | 0 | 12 | |||
| antlr-2.7.7.jar | antlr:antlr:2.7.7 | 0 | 9 | |||
| aopalliance-1.0.jar | aopalliance:aopalliance:1.0 | 0 | 10 | |||
| asm-attrs-2.2.3.jar | asm:asm-attrs:2.2.3 | 0 | 10 | |||
| asm-3.1.jar | asm:asm:3.1 | 0 | 10 | |||
| avalon-framework-api-4.2.0.jar | avalon-framework:avalon-framework-api:4.2.0 | 0 | 11 | |||
| avalon-framework-impl-4.2.0.jar | avalon-framework:avalon-framework-impl:4.2.0 | 0 | 11 | |||
| licenseserver-core-1.0-SNAPSHOT.jar | bi.meteorite:licenseserver-core:1.0-SNAPSHOT | 0 | 10 | |||
| not-yet-commons-ssl-0.3.9.jar | cpe:/a:not_yet_commons_ssl_project:not_yet_commons_ssl:0.3.9 | ca.juliusdavies:not-yet-commons-ssl:0.3.9 | Medium | 1 | LOW | 12 |
| cglib-nodep-2.2.jar | cglib:cglib-nodep:2.2 | 0 | 11 | |||
| cglib-2.2.jar | cglib:cglib:2.2 | 0 | 10 | |||
| jcommander-1.30.jar | com.beust:jcommander:1.30 | 0 | 12 | |||
| clover-3.3.0.jar | 0 | 9 | ||||
| clover-3.3.0.jar: grover.jar | 0 | 9 | ||||
| phantomjsdriver-1.2.1.jar | com.codeborne:phantomjsdriver:1.2.1 | 0 | 11 | |||
| classmate-1.0.0.jar | com.fasterxml:classmate:1.0.0 | 0 | 15 | |||
| jackson-core-2.5.1.jar | cpe:/a:fasterxml:jackson:2.5.1 | com.fasterxml.jackson.core:jackson-core:2.5.1 | 0 | LOW | 23 | |
| jackson-databind-2.5.1.jar |
cpe:/a:fasterxml:jackson-databind:2.5.1
cpe:/a:fasterxml:jackson:2.5.1 |
com.fasterxml.jackson.core:jackson-databind:2.5.1 | High | 12 | HIGHEST | 23 |
| curvesapi-1.04.jar | com.github.virtuald:curvesapi:1.04 | 0 | 11 | |||
| gson-2.3.1.jar | com.google.code.gson:gson:2.3.1 | 0 | 16 | |||
| guava-17.0.jar | cpe:/a:google:guava:17.0 | com.google.guava:guava:17.0 | Medium | 1 | HIGHEST | 13 |
| gwt-servlet-2.5.1.jar | com.google.gwt:gwt-servlet:2.5.1 | 0 | 11 | |||
| guice-3.0.jar | com.google.inject:guice:3.0 | 0 | 15 | |||
| protobuf-java-2.4.1.jar | cpe:/a:google:protobuf:2.4.1 | com.google.protobuf:protobuf-java:2.4.1 | Medium | 1 | HIGHEST | 13 |
| json-simple-1.1.1.jar | com.googlecode.json-simple:json-simple:1.1.1 | 0 | 12 | |||
| lambdaj-2.3.3.jar | com.googlecode.lambdaj:lambdaj:2.3.3 | 0 | 12 | |||
| h2-1.4.188.jar | cpe:/a:h2database:h2:1.4.188 | com.h2database:h2:1.4.188 | 0 | LOW | 14 | |
| hazelcast-wm-3.6.2.jar | com.hazelcast:hazelcast-wm:3.6.2 | 0 | 19 | |||
| hazelcast-3.6.2.jar | 0 | 17 | ||||
| awaitility-1.6.3.jar | com.jayway.awaitility:awaitility:1.6.3 | 0 | 14 | |||
| jsch-0.1.54.jar | cpe:/a:jcraft:jsch:0.1.54 | com.jcraft:jsch:0.1.54 | 0 | LOW | 13 | |
| filters-2.0.235.jar |
cpe:/a:image_processing_software:image_processing_software:2.0.235
cpe:/a:processing:processing:2.0.235 |
com.jhlabs:filters:2.0.235 | Medium | 2 | LOW | 13 |
| marklogic-xcc-9.0.3.jar | cpe:/a:marklogic:marklogic:9.0.3 | com.marklogic:marklogic-xcc:9.0.3 | 0 | LOW | 13 | |
| operadriver-1.5.jar |
cpe:/a:opera:opera:1.5
cpe:/a:opera_software:opera:1.5 |
com.opera:operadriver:1.5 | High | 16 | LOW | 13 |
| operalaunchers-1.1.jar |
cpe:/a:opera:opera:1.1
cpe:/a:opera_software:opera:1.1 |
com.opera:operalaunchers:1.1 | High | 16 | LOW | 13 |
| operalaunchers-1.1.jar: launcher-win32-i86pc.exe | 0 | 2 | ||||
| orient-commons-1.3.0.jar | cpe:/a:orientdb:orientdb:1.3.0 | com.orientechnologies:orient-commons:1.3.0 | High | 2 | LOW | 23 |
| orientdb-core-1.3.0.jar | cpe:/a:orientdb:orientdb:1.3.0 | com.orientechnologies:orientdb-core:1.3.0 | High | 2 | LOW | 22 |
| miredot-annotations-1.3.1.jar | com.qmino:miredot-annotations:1.3.1 | 0 | 10 | |||
| jersey-apache-client-1.19.1.jar | cpe:/a:oracle:oracle_client:1.19.1 | com.sun.jersey.contribs:jersey-apache-client:1.19.1 | High | 1 | LOW | 17 |
| jersey-multipart-1.19.jar | com.sun.jersey.contribs:jersey-multipart:1.19 | 0 | 17 | |||
| jersey-spring-1.19.jar | com.sun.jersey.contribs:jersey-spring:1.19 | 0 | 18 | |||
| jersey-core-1.19.jar | cpe:/a:restful_web_services_project:restful_web_services:1.19 | com.sun.jersey:jersey-core:1.19 | 0 | LOW | 17 | |
| jaxb-impl-2.2.3-1.jar | com.sun.xml.bind:jaxb-impl:2.2.3-1 | 0 | 17 | |||
| paranamer-2.4.jar | com.thoughtworks.paranamer:paranamer:2.4 | 0 | 11 | |||
| xstream-1.4.5.jar | cpe:/a:xstream_project:xstream:1.4.5 | com.thoughtworks.xstream:xstream:1.4.5 | Medium | 2 | LOW | 23 |
| commons-beanutils-core-1.8.3.jar | cpe:/a:apache:commons_beanutils:1.8.3 | commons-beanutils:commons-beanutils-core:1.8.3 | High | 1 | LOW | 15 |
| commons-beanutils-1.9.3.jar | cpe:/a:apache:commons_beanutils:1.9.3 | commons-beanutils:commons-beanutils:1.9.3 | 0 | LOW | 23 | |
| commons-cli-1.2.jar | commons-cli:commons-cli:1.2 | 0 | 20 | |||
| commons-codec-1.9.jar | commons-codec:commons-codec:1.9 | 0 | 21 | |||
| commons-collections-3.2.1.jar | cpe:/a:apache:commons_collections:3.2.1 | commons-collections:commons-collections:3.2.1 | High | 2 | HIGHEST | 20 |
| commons-dbcp-1.4.jar | commons-dbcp:commons-dbcp:1.4 | 0 | 20 | |||
| commons-digester-1.8.jar | commons-digester:commons-digester:1.8 | 0 | 17 | |||
| commons-fileupload-1.3.3.jar | cpe:/a:apache:commons_fileupload:1.3.3 | commons-fileupload:commons-fileupload:1.3.3 | 0 | LOW | 23 | |
| commons-httpclient-20020423.jar |
cpe:/a:apache:commons-httpclient:-
cpe:/a:apache:httpclient:- |
commons-httpclient:commons-httpclient:20020423 | 0 | LOW | 8 | |
| commons-io-2.4.jar | commons-io:commons-io:2.4 | 0 | 21 | |||
| commons-jxpath-1.3.jar | commons-jxpath:commons-jxpath:1.3 | 0 | 20 | |||
| commons-lang-2.4.jar | commons-lang:commons-lang:2.4 | 0 | 20 | |||
| commons-logging-1.1.3.jar | commons-logging:commons-logging:1.1.3 | 0 | 21 | |||
| commons-math-1.2.jar | commons-math:commons-math:1.2 | 0 | 18 | |||
| commons-net-1.4.1.jar | commons-net:commons-net:1.4.1 | 0 | 15 | |||
| commons-pool-1.4.jar | commons-pool:commons-pool:1.4 | 0 | 19 | |||
| commons-vfs-1.0.jar | commons-vfs:commons-vfs:1.0 | 0 | 17 | |||
| concurrent-1.3.4.jar | concurrent:concurrent:1.3.4 | 0 | 12 | |||
| jbehave-junit-runner-1.2.0.jar | de.codecentric:jbehave-junit-runner:1.2.0 | 0 | 13 | |||
| dom4j-1.6.1.jar | cpe:/a:dom4j_project:dom4j:1.6.1 | dom4j:dom4j:1.6.1 | Medium | 1 | HIGHEST | 16 |
| eigenbase-properties-1.1.4.jar | eigenbase:eigenbase-properties:1.1.4 | 0 | 14 | |||
| eigenbase-resgen-1.3.5.jar | eigenbase:eigenbase-resgen:1.3.5 | 0 | 14 | |||
| eigenbase-xom-1.3.4.jar | eigenbase:eigenbase-xom:1.3.4 | 0 | 14 | |||
| hsqldb-1.8.0.10.jar | hsqldb:hsqldb:1.8.0.10 | 0 | 12 | |||
| cucumber-core-1.2.2.jar | info.cukes:cucumber-core:1.2.2 | 0 | 9 | |||
| cucumber-html-0.2.3.jar | info.cukes:cucumber-html:0.2.3 | 0 | 7 | |||
| cucumber-jvm-deps-1.0.3.jar | 0 | 9 | ||||
| gherkin-2.12.2.jar | info.cukes:gherkin:2.12.2 | 0 | 11 | |||
| java-client-2.1.0.jar | io.appium:java-client:2.1.0 | 0 | 11 | |||
| netty-3.5.2.Final.jar | cpe:/a:netty_project:netty:3.5.2 | io.netty:netty:3.5.2.Final | Medium | 2 | LOW | 14 |
| iText-4.2.0.jar | iText:iText:4.2.0 | 0 | 9 | |||
| javassist-3.12.1.GA.jar | javassist:javassist:3.12.1.GA | 0 | 10 | |||
| activation-1.1.jar | javax.activation:activation:1.1 | 0 | 14 | |||
| javax.el-api-2.2.4.jar | cpe:/a:oracle:glassfish:2.2.4 | javax.el:javax.el-api:2.2.4 | Medium | 2 | LOW | 19 |
| javax.inject-1.jar | javax.inject:javax.inject:1 | 0 | 10 | |||
| jcr-2.0.jar | cpe:/a:content_project:content:2.0 | javax.jcr:jcr:2.0 | Medium | 1 | LOW | 13 |
| mail-1.4.7.jar | cpe:/a:mail_project:mail:1.4.7 | javax.mail:mail:1.4.7 | Medium | 1 | LOW | 23 |
| javax.servlet-api-3.1.0.jar | cpe:/a:oracle:glassfish:3.1.0 | javax.servlet:javax.servlet-api:3.1.0 | Medium | 2 | LOW | 20 |
| jstl-1.2.jar | javax.servlet:jstl:1.2 | 0 | 11 | |||
| jta-1.1.jar | javax.transaction:jta:1.1 | 0 | 11 | |||
| validation-api-1.1.0.Final.jar | cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~ | javax.validation:validation-api:1.1.0.Final | Medium | 1 | HIGHEST | 11 |
| jsr311-api-1.1.1.jar | javax.ws.rs:jsr311-api:1.1.1 | 0 | 15 | |||
| jaxb-api-2.2.2.jar |
cpe:/a:fish:fish:2.2.2
cpe:/a:oracle:glassfish:2.2.2 |
javax.xml.bind:jaxb-api:2.2.2 | Medium | 2 | LOW | 13 |
| stax-api-1.0-2.jar | javax.xml.stream:stax-api:1.0-2 | 0 | 10 | |||
| joda-time-2.7.jar | cpe:/a:date_project:date:7.x-2.7::~~~drupal~~ | joda-time:joda-time:2.7 | Low | 1 | HIGHEST | 20 |
| jug-lgpl-2.0.0.jar | jug-lgpl:jug-lgpl:2.0.0 | 0 | 10 | |||
| log4j-1.2.14.jar | cpe:/a:apache:log4j:1.2.14 | log4j:log4j:1.2.14 | 0 | LOW | 12 | |
| mx4j-tools-3.0.1.jar | mx4j:mx4j-tools:3.0.1 | 0 | 7 | |||
| mysql-connector-java-5.1.17.jar |
cpe:/a:mysql:mysql:5.1.17
cpe:/a:oracle:connector/j:5.1.17 cpe:/a:oracle:mysql:5.1.17 cpe:/a:oracle:mysql_connector/j:5.1.17 cpe:/a:oracle:mysql_connectors:5.1.17 |
mysql:mysql-connector-java:5.1.17 | High | 393 | HIGHEST | 21 |
| jna-platform-4.1.0.jar | net.java.dev.jna:jna-platform:4.1.0 | 0 | 17 | |||
| jna-4.1.0.jar | net.java.dev.jna:jna:4.1.0 | 0 | 17 | |||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jcip-annotations-1.0.jar | net.jcip:jcip-annotations:1.0 | 0 | 10 | |||
| serenity-core-1.0.58.jar | net.serenity-bdd:serenity-core:1.0.58 | 0 | 10 | |||
| serenity-jbehave-1.0.23.jar | net.serenity-bdd:serenity-jbehave:1.0.23 | 0 | 10 | |||
| serenity-report-resources-1.0.58.jar | net.serenity-bdd:serenity-report-resources:1.0.58 | 0 | 8 | |||
| ehcache-core-2.5.1.jar | net.sf.ehcache:ehcache-core:2.5.1 | 0 | 9 | |||
| ehcache-core-2.5.1.jar: sizeof-agent.jar | net.sf.ehcache:sizeof-agent:1.0.1 | 0 | 14 | |||
| opencsv-2.0.jar | net.sf.opencsv:opencsv:2.0 | 0 | 12 | |||
| scannotation-1.0.2.jar | org.scannotation:scannotation:1.0.2 | 0 | 11 | |||
| cssparser-0.9.16.jar | net.sourceforge.cssparser:cssparser:0.9.16 | 0 | 11 | |||
| htmlcleaner-2.10.jar | cpe:/a:htmlcleaner_project:htmlcleaner:2.10 | net.sourceforge.htmlcleaner:htmlcleaner:2.10 | 0 | LOW | 9 | |
| htmlunit-core-js-2.17.jar | net.sourceforge.htmlunit:htmlunit-core-js:2.17 | 0 | 12 | |||
| htmlunit-2.17.jar | net.sourceforge.htmlunit:htmlunit:2.17 | 0 | 18 | |||
| jxl-2.6.12.jar | net.sourceforge.jexcelapi:jxl:2.6.12 | 0 | 10 | |||
| nekohtml-1.9.15.jar | net.sourceforge.nekohtml:nekohtml:1.9.15 | 0 | 11 | |||
| ognl-2.6.9.jar | cpe:/a:ognl_project:ognl:2.6.9 | ognl:ognl:2.6.9 | Medium | 1 | LOW | 10 |
| antlr-complete-3.5.2.jar | 0 | 10 | ||||
| ant-launcher-1.7.1.jar | org.apache.ant:ant-launcher:1.7.1 | 0 | 12 | |||
| ant-1.7.1.jar | org.apache.ant:ant:1.7.1 | 0 | 13 | |||
| axis2-kernel-1.5.jar | cpe:/a:apache:axis2:1.5 | org.apache.axis2:axis2-kernel:1.5 | High | 5 | HIGHEST | 13 |
| commons-collections4-4.1.jar | cpe:/a:apache:commons_collections:4.1 | org.apache.commons:commons-collections4:4.1 | 0 | LOW | 23 | |
| commons-compress-1.4.1.jar | cpe:/a:apache:commons-compress:1.4.1 | org.apache.commons:commons-compress:1.4.1 | 0 | LOW | 23 | |
| commons-exec-1.3.jar | org.apache.commons:commons-exec:1.3 | 0 | 23 | |||
| commons-lang3-3.3.2.jar | org.apache.commons:commons-lang3:3.3.2 | 0 | 22 | |||
| commons-vfs2-2.1-20150824.jar | org.apache.commons:commons-vfs2:2.1-SNAPSHOT | 0 | 23 | |||
| derby-10.5.3.0_1.jar | cpe:/a:apache:derby:10.5.3.0.1 | org.apache.derby:derby:10.5.3.0_1 | 0 | LOW | 12 | |
| org.osgi.core-1.0.0.jar | org.apache.felix:org.osgi.core:1.0.0 | 0 | 18 | |||
| httpclient-4.5.5.jar | cpe:/a:apache:httpclient:4.5.5 | org.apache.httpcomponents:httpclient:4.5.5 | 0 | LOW | 20 | |
| httpcore-4.3-alpha1.jar | org.apache.httpcomponents:httpcore:4.3-alpha1 | 0 | 18 | |||
| httpmime-4.4.1.jar | cpe:/a:apache:httpclient:4.4.1 | org.apache.httpcomponents:httpmime:4.4.1 | 0 | LOW | 19 | |
| jackrabbit-core-2.16.1.jar | cpe:/a:apache:jackrabbit:2.16.1 | org.apache.jackrabbit:jackrabbit-core:2.16.1 | 0 | LOW | 17 | |
| jackrabbit-data-2.10.0.jar | cpe:/a:apache:jackrabbit:2.10.0 | org.apache.jackrabbit:jackrabbit-data:2.10.0 | Medium | 2 | HIGHEST | 20 |
| org.apache.karaf.main-3.0.3.jar | cpe:/a:apache:karaf:3.0.3 | org.apache.karaf:org.apache.karaf.main:3.0.3 | High | 5 | HIGHEST | 24 |
| lucene-core-3.6.0.jar | org.apache.lucene:lucene-core:3.6.0 | 0 | 15 | |||
| fontbox-2.0.4.jar | cpe:/a:font_project:font:2.0.4 | org.apache.pdfbox:fontbox:2.0.4 | Medium | 1 | LOW | 22 |
| pdfbox-app-2.0.0.jar | cpe:/a:apache:pdfbox:2.0.0 | org.apache.pdfbox:pdfbox-app:2.0.0 | High | 2 | HIGHEST | 21 |
| poi-scratchpad-3.15.jar | cpe:/a:apache:poi:3.15 | org.apache.poi:poi-scratchpad:3.15 | 0 | LOW | 17 | |
| poi-3.17.jar | cpe:/a:apache:poi:3.17 | org.apache.poi:poi:3.17 | 0 | LOW | 17 | |
| xmlsec-1.4.4.jar | cpe:/a:xmlsec_project:xmlsec:1.4.4 | org.apache.santuario:xmlsec:1.4.4 | 0 | LOW | 13 | |
| tika-core-1.17.jar | cpe:/a:apache:tika:1.17 | org.apache.tika:tika-core:1.17 | High | 8 | HIGHEST | 25 |
| xmlbeans-2.6.0.jar | org.apache.xmlbeans:xmlbeans:2.6.0 | 0 | 13 | |||
| batik-css-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-css:1.8 | High | 2 | HIGHEST | 13 |
| batik-extension-1.9.jar | cpe:/a:apache:batik:1.9 | org.apache.xmlgraphics:batik-extension:1.9 | High | 1 | HIGHEST | 14 |
| fop-2.2.jar | cpe:/a:apache:formatting_objects_processor:2.2 | org.apache.xmlgraphics:fop:2.2 | 0 | LOW | 16 | |
| xmlgraphics-commons-2.2.jar | org.apache.xmlgraphics:xmlgraphics-commons:2.2 | 0 | 16 | |||
| asciidoctor-java-integration-0.1.3.jar | org.asciidoctor:asciidoctor-java-integration:0.1.3 | 0 | 10 | |||
| aspectjrt-1.6.6.jar | org.aspectj:aspectjrt:1.6.6 | 0 | 12 | |||
| bcpkix-jdk15on-1.48.jar | org.bouncycastle:bcpkix-jdk15on:1.48 | 0 | 18 | |||
| groovy-all-2.3.3.jar | cpe:/a:apache:groovy:2.3.3 | commons-cli:commons-cli:1.2 | High | 3 | HIGHEST | 23 |
| groovy-2.3.9.jar | cpe:/a:apache:groovy:2.3.9 | commons-cli:commons-cli:1.2 | High | 3 | HIGHEST | 23 |
| jackson-core-asl-1.9.2.jar | cpe:/a:fasterxml:jackson:1.9.2 | org.codehaus.jackson:jackson-core-asl:1.9.2 | 0 | LOW | 19 | |
| jackson-xc-1.9.2.jar |
cpe:/a:fasterxml:jackson-databind:1.9.2
cpe:/a:fasterxml:jackson:1.9.2 |
org.codehaus.jackson:jackson-xc:1.9.2 | High | 2 | LOW | 17 |
| jettison-1.2.jar | org.codehaus.jettison:jettison:1.2 | 0 | 13 | |||
| plexus-utils-3.0.10.jar | org.codehaus.plexus:plexus-utils:3.0.10 | 0 | 14 | |||
| jetty-io-9.2.11.v20150529.jar | org.eclipse.jetty:jetty-io:9.2.11.v20150529 | 0 | 19 | |||
| jetty-util-8.1.15.v20140411.jar |
cpe:/a:eclipse:jetty:8.1.15.v20140411
cpe:/a:jetty:jetty:8.1.15.v20140411 |
org.eclipse.jetty:jetty-util:8.1.15.v20140411 | High | 4 | LOW | 20 |
| websocket-api-9.2.11.v20150529.jar |
cpe:/a:eclipse:jetty:9.2.11.v20150529
cpe:/a:jetty:jetty:9.2.11.v20150529 |
org.eclipse.jetty.websocket:websocket-api:9.2.11.v20150529 | High | 4 | LOW | 18 |
| fluentlenium-core-0.10.2.jar | org.fluentlenium:fluentlenium-core:0.10.2 | 0 | 15 | |||
| fontbox-0.1.0.jar | cpe:/a:font_project:font:0.1.0 | org.fontbox:fontbox:0.1.0 | Medium | 1 | LOW | 10 |
| freemarker-2.3.21.jar | org.freemarker:freemarker:2.3.21 | 0 | 21 | |||
| webservices-api-2.1.jar | 0 | 12 | ||||
| webservices-rt-2.1.jar | 0 | 13 | ||||
| javax.el-2.2.4.jar | cpe:/a:oracle:glassfish:2.2.4 | org.glassfish.web:javax.el:2.2.4 | Medium | 2 | LOW | 20 |
| hamcrest-all-1.3.jar | com.thoughtworks.qdox:qdox:1.12 | 0 | 15 | |||
| hamcrest-core-1.3.jar | org.hamcrest:hamcrest-core:1.3 | 0 | 14 | |||
| hamcrest-integration-1.3.jar | org.hamcrest:hamcrest-integration:1.3 | 0 | 14 | |||
| hamcrest-library-1.3.jar | org.hamcrest:hamcrest-library:1.3 | 0 | 14 | |||
| hibernate-commons-annotations-4.0.4.Final.jar | cpe:/a:processing:processing:4.0.4 | org.hibernate.common:hibernate-commons-annotations:4.0.4.Final | 0 | LOW | 17 | |
| hibernate-core-4.3.5.Final.jar | org.hibernate:hibernate-core:4.3.5.Final | 0 | 18 | |||
| hibernate-ehcache-3.6.0.Final.jar | org.hibernate:hibernate-ehcache:3.6.0.Final | 0 | 17 | |||
| hibernate-validator-5.1.1.Final.jar | cpe:/a:hibernate:hibernate_validator:5.1 | org.hibernate:hibernate-validator:5.1.1.Final | Medium | 1 | HIGHEST | 20 |
| hibernate-jpa-2.1-api-1.0.0.Final.jar | org.hibernate.javax.persistence:hibernate-jpa-2.1-api:1.0.0.Final | 0 | 14 | |||
| ini4j-0.5.2.jar | org.ini4j:ini4j:0.5.2 | 0 | 10 | |||
| cas-client-core-3.3.2.jar | org.jasig.cas.client:cas-client-core:3.3.2 | 0 | 15 | |||
| javassist-3.20.0-GA.jar | org.javassist:javassist:3.20.0-GA | 0 | 15 | |||
| jbehave-core-3.9.3.jar | org.jbehave:jbehave-core:3.9.3 | 0 | 12 | |||
| jandex-1.1.0.Final.jar | org.jboss:jandex:1.1.0.Final | 0 | 16 | |||
| jboss-logging-annotations-1.2.0.Beta1.jar | org.jboss.logging:jboss-logging-annotations:1.2.0.Beta1 | 0 | 18 | |||
| jboss-logging-3.1.3.GA.jar | org.jboss.logging:jboss-logging:3.1.3.GA | 0 | 26 | |||
| jboss-transaction-api_1.2_spec-1.0.0.Final.jar | org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:1.0.0.Final | 0 | 22 | |||
| jdom2-2.0.5.jar | org.jdom:jdom2:2.0.5 | 0 | 32 | |||
| jdom-1.1.jar | org.jdom:jdom:1.1 | 0 | 30 | |||
| jempbox-0.2.0.jar | org.jempbox:jempbox:0.2.0 | 0 | 10 | |||
| jruby-complete-1.7.4.jar | cpe:/a:jruby:jruby:1.7.4 | Medium | 1 | LOW | 13 | |
| jruby-complete-1.7.4.jar: jffi-1.2.dll | 0 | 2 | ||||
| jruby-complete-1.7.4.jar: jffi-1.2.dll | 0 | 2 | ||||
| jruby-complete-1.7.4.jar: jrubyw.exe | 0 | 1 | ||||
| jruby-complete-1.7.4.jar: generator.jar | 0 | 3 | ||||
| jruby-complete-1.7.4.jar: parser.jar | 0 | 3 | ||||
| jruby-complete-1.7.4.jar: bcpkix-jdk15on-147.jar | 0 | 13 | ||||
| jruby-complete-1.7.4.jar: bcprov-jdk15on-147.jar | 0 | 13 | ||||
| jruby-complete-1.7.4.jar: jopenssl.jar |
cpe:/a:openssl:openssl:-
cpe:/a:openssl_project:openssl:- |
High | 75 | LOW | 4 | |
| jruby-complete-1.7.4.jar: kryptcore.jar | 0 | 5 | ||||
| jruby-complete-1.7.4.jar: kryptproviderjdk.jar | 0 | 5 | ||||
| jruby-complete-1.7.4.jar: jansi.dll | 0 | 1 | ||||
| jruby-complete-1.7.4.jar: jansi.dll | 0 | 1 | ||||
| mimepull-1.9.4.jar | org.jvnet.mimepull:mimepull:1.9.4 | 0 | 22 | |||
| mockito-all-1.8.5.jar | org.mockito:mockito-all:1.8.5 | 0 | 11 | |||
| servlet-api-2.5-6.1.9.jar |
cpe:/a:jetty:jetty:6.1.9
cpe:/a:mortbay:jetty:6.1.9 cpe:/a:mortbay_jetty:jetty:6.1.9 |
org.mortbay.jetty:servlet-api-2.5:6.1.9 | High | 7 | HIGHEST | 20 |
| rhino-1.7R5.jar | org.mozilla:rhino:1.7R5 | 0 | 15 | |||
| jmi-200507110943.jar | org.netbeans:jmi:200507110943 | 0 | 10 | |||
| jmiutils-200507110943.jar | org.netbeans:jmiutils:200507110943 | 0 | 11 | |||
| mdrapi-200507110943.jar | org.netbeans:mdrapi:200507110943 | 0 | 10 | |||
| mof-200507110943.jar | org.netbeans:mof:200507110943 | 0 | 10 | |||
| nbmdr-200507110943-custom.jar | org.netbeans:nbmdr:200507110943-custom | 0 | 9 | |||
| openide-util-200507110943.jar | org.netbeans:openide-util:200507110943 | 0 | 8 | |||
| objenesis-2.1.jar | org.objenesis:objenesis:2.1 | 0 | 20 | |||
| olap4j-xmla-TRUNK-SNAPSHOT.jar | org.olap4j:olap4j-xmla:TRUNK-SNAPSHOT | 0 | 10 | |||
| olap4j-xmlaserver-1.2.0.jar | cpe:/a:connections_project:connections:1.2.0 | org.olap4j:olap4j-xmlaserver:1.2.0 | 0 | LOW | 15 | |
| olap4j-TRUNK-SNAPSHOT.jar | org.olap4j:olap4j:TRUNK-SNAPSHOT | 0 | 8 | |||
| opensaml-2.5.1-1.jar | cpe:/a:internet2:opensaml:2.5.1.1 | org.opensaml:opensaml:2.5.1-1 | 0 | LOW | 17 | |
| openws-1.4.2-1.jar | cpe:/a:ws_project:ws:1.4.2.1 | org.opensaml:openws:1.4.2-1 | 0 | LOW | 19 | |
| xmltooling-1.3.2-1.jar |
cpe:/a:internet2:xmltooling:1.3.2.1
cpe:/a:xmltooling_project:xmltooling:1.3.2.1 |
org.opensaml:xmltooling:1.3.2-1 | Medium | 1 | LOW | 15 |
| asm-5.0.3.jar | org.ow2.asm:asm:5.0.3 | 0 | 16 | |||
| encoder-1.2.jar | org.owasp.encoder:encoder:1.2 | 0 | 12 | |||
| esapi-2.0GA.jar | cpe:/a:owasp:enterprise_security_api:2.0ga | org.owasp.esapi:esapi:2.0GA | 0 | LOW | 17 | |
| pentaho-vfs-1.0.jar | org.pentaho:pentaho-vfs:1.0 | 0 | 7 | |||
| libbase-7.1.0.0-12.jar | org.pentaho.reporting.library:libbase:7.1.0.0-12 | 0 | 20 | |||
| libformula-7.1.0.0-12.jar | org.pentaho.reporting.library:libformula:7.1.0.0-12 | 0 | 20 | |||
| quartz-1.7.2.jar | org.quartz-scheduler:quartz:1.7.2 | 0 | 10 | |||
| reflections-0.9.8.jar | org.reflections:reflections:0.9.8 | 0 | 12 | |||
| saiku-query-0.4-SNAPSHOT.jar | org.saiku:saiku-query:0.4-SNAPSHOT | 0 | 11 | |||
| jcifs-1.3.3.jar | cpe:/a:samba:samba:1.3.3 | org.samba.jcifs:jcifs:1.3.3 | High | 22 | LOW | 10 |
| scannotation-1.0.2.jar | org.scannotation:scannotation:1.0.2 | 0 | 10 | |||
| jetty-rc-repacked-5.jar | cpe:/a:jetty:jetty:- | org.seleniumhq.selenium:jetty-rc-repacked:5 | 0 | LOW | 11 | |
| jetty-repacked-7.6.1.jar | cpe:/a:jetty:jetty:7.6.1 | 0 | LOW | 7 | ||
| selenium-api-2.46.0.jar | org.seleniumhq.selenium:selenium-api:2.46.0 | 0 | 11 | |||
| selenium-chrome-driver-2.46.0.jar | cpe:/a:selenium-chromedriver_project:selenium-chromedriver:2.46.0 | org.seleniumhq.selenium:selenium-chrome-driver:2.46.0 | High | 1 | LOW | 12 |
| selenium-firefox-driver-2.46.0.jar | org.seleniumhq.selenium:selenium-firefox-driver:2.46.0 | 0 | 12 | |||
| selenium-htmlunit-driver-2.46.0.jar | org.seleniumhq.selenium:selenium-htmlunit-driver:2.46.0 | 0 | 12 | |||
| selenium-ie-driver-2.46.0.jar | org.seleniumhq.selenium:selenium-ie-driver:2.46.0 | 0 | 12 | |||
| selenium-java-2.46.0.jar | org.seleniumhq.selenium:selenium-java:2.46.0 | 0 | 9 | |||
| selenium-leg-rc-2.46.0.jar | org.seleniumhq.selenium:selenium-leg-rc:2.46.0 | 0 | 13 | |||
| selenium-remote-driver-2.46.0.jar | org.seleniumhq.selenium:selenium-remote-driver:2.46.0 | 0 | 12 | |||
| selenium-safari-driver-2.46.0.jar | org.seleniumhq.selenium:selenium-safari-driver:2.46.0 | 0 | 12 | |||
| selenium-server-2.46.0.jar | org.seleniumhq.selenium:selenium-server:2.46.0 | 0 | 12 | |||
| selenium-server-2.46.0.jar: readystate.jar | 0 | 1 | ||||
| selenium-server-2.46.0.jar: hudsuckr.exe | 0 | 1 | ||||
| selenium-support-2.46.0.jar | org.seleniumhq.selenium:selenium-support:2.46.0 | 0 | 12 | |||
| jcl-over-slf4j-1.7.7.jar | org.slf4j:jcl-over-slf4j:1.7.7 | 0 | 17 | |||
| jul-to-slf4j-1.6.1.jar | org.slf4j:jul-to-slf4j:1.6.1 | 0 | 14 | |||
| slf4j-api-1.6.4.jar | org.slf4j:slf4j-api:1.6.4 | 0 | 17 | |||
| slf4j-log4j12-1.6.4.jar | org.slf4j:slf4j-log4j12:1.6.4 | 0 | 17 | |||
| se-jcr-0.9.jar |
cpe:/a:pivotal:spring_framework:0.9
cpe:/a:pivotal_software:spring_framework:0.9 cpe:/a:springsource:spring_framework:0.9 cpe:/a:vmware:springsource_spring_framework:0.9 |
org.springframework:se-jcr:0.9 | High | 10 | LOW | 15 |
| spring-security-cas-4.0.1.RELEASE.jar | org.springframework.security:spring-security-cas:4.0.1.RELEASE | 0 | 12 | |||
| spring-security-config-4.0.1.RELEASE.jar | org.springframework.security:spring-security-config:4.0.1.RELEASE | 0 | 12 | |||
| spring-security-core-4.1.3.RELEASE.jar | org.springframework.security:spring-security-core:4.1.3.RELEASE | 0 | 12 | |||
| spring-security-web-4.0.1.RELEASE.jar | org.springframework.security:spring-security-web:4.0.1.RELEASE | 0 | 12 | |||
| spring-context-support-4.1.6.RELEASE.jar |
cpe:/a:context_project:context:4.1.6
cpe:/a:pivotal:spring_framework:4.1.6 cpe:/a:pivotal_software:spring_framework:4.1.6 cpe:/a:springsource:spring_framework:4.1.6 cpe:/a:vmware:springsource_spring_framework:4.1.6 |
org.springframework:spring-context-support:4.1.6.RELEASE | High | 6 | HIGHEST | 16 |
| spring-core-4.1.6.RELEASE.jar |
cpe:/a:pivotal:spring_framework:4.1.6
cpe:/a:pivotal_software:spring_framework:4.1.6 cpe:/a:springsource:spring_framework:4.1.6 cpe:/a:vmware:springsource_spring_framework:4.1.6 |
org.springframework:spring-core:4.1.6.RELEASE | High | 6 | HIGHEST | 16 |
| spring-expression-4.3.2.RELEASE.jar |
cpe:/a:pivotal:spring_framework:4.3.2
cpe:/a:pivotal_software:spring_framework:4.3.2 cpe:/a:springsource:spring_framework:4.3.2 cpe:/a:vmware:springsource_spring_framework:4.3.2 |
org.springframework:spring-expression:4.3.2.RELEASE | High | 10 | HIGHEST | 16 |
| spring-binding-2.4.4.RELEASE.jar | org.springframework.webflow:spring-binding:2.4.4.RELEASE | 0 | 12 | |||
| sac-1.3.jar | org.w3c.css:sac:1.3 | 0 | 14 | |||
| webbit-0.4.14.jar | cpe:/a:id:id-software:0.4.14 | org.webbitserver:webbit:0.4.14 | 0 | LOW | 10 | |
| snakeyaml-1.7.jar | org.yaml:snakeyaml:1.7 | 0 | 11 | |||
| oro-2.0.8.jar | oro:oro:2.0.8 | 0 | 8 | |||
| kettle-core-7.1.0.0-12.jar | cpe:/a:pentaho:data_integration:7.1.0.0.12 | pentaho-kettle:kettle-core:7.1.0.0-12 | 0 | LOW | 10 | |
| kettle-engine-7.1.0.0-12.jar | cpe:/a:pentaho:data_integration:7.1.0.0.12 | pentaho-kettle:kettle-engine:7.1.0.0-12 | 0 | LOW | 10 | |
| cpf-core-7.1.0.0-12.jar | pentaho:cpf-core:7.1.0.0-12 | 0 | 13 | |||
| cpf-pentaho-7.1.0.0-12.jar | pentaho:cpf-pentaho:7.1.0.0-12 | 0 | 13 | |||
| metastore-7.1.0.0-12.jar | pentaho:metastore:7.1.0.0-12 | 0 | 17 | |||
| mondrian-3.11.0.0-353.jar | pentaho:mondrian:3.11.0.0-353 | 0 | 9 | |||
| pentaho-concurrent-1.0.0.jar | cpe:/a:id:id-software:1.0.0 | pentaho:pentaho-concurrent:1.0.0 | 0 | LOW | 16 | |
| pentaho-connections-7.1.0.0-12.jar | cpe:/a:connections_project:connections:7.1.0.0.12 | pentaho:pentaho-connections:7.1.0.0-12 | 0 | LOW | 17 | |
| pentaho-cwm-1.5.4.jar | pentaho:pentaho-cwm:1.5.4 | 0 | 8 | |||
| pentaho-metadata-7.1.0.0-12.jar | pentaho:pentaho-metadata:7.1.0.0-12 | 0 | 17 | |||
| pentaho-platform-api-5.0.0.jar | pentaho:pentaho-platform-api:5.0.0 | 0 | 7 | |||
| pentaho-platform-core-5.0.0.jar | pentaho:pentaho-platform-core:5.0.0 | 0 | 7 | |||
| pentaho-platform-extensions-5.0.0.jar | pentaho:pentaho-platform-extensions:5.0.0 | 0 | 7 | |||
| pentaho-platform-repository-7.1.0.0-12.jar | pentaho:pentaho-platform-repository:7.1.0.0-12 | 0 | 13 | |||
| pentaho-registry-7.1.0.0-12.jar | pentaho:pentaho-registry:7.1.0.0-12 | 0 | 8 | |||
| simple-jndi-1.0.0.jar | pentaho:simple-jndi:1.0.0 | 0 | 14 | |||
| secondstring-20060615.jar | secondstring:secondstring:20060615 | 0 | 8 | |||
| stax-api-1.0.1.jar | cpe:/a:st_project:st:1.0.1 | stax:stax-api:1.0.1 | Medium | 1 | LOW | 13 |
| velocity-1.5.jar | velocity:velocity:1.5 | 0 | 17 | |||
| wsdl4j-1.6.2.jar | wsdl4j:wsdl4j:1.6.2 | 0 | 12 | |||
| xalan-2.7.0.jar | cpe:/a:apache:xalan-java:2.7.0 | xalan:xalan:2.7.0 | High | 1 | HIGHEST | 18 |
| xercesImpl-2.8.1.jar | cpe:/a:apache:xerces2_java:2.8.1 | xerces:xercesImpl:2.8.1 | High | 1 | LOW | 39 |
| xml-apis-ext-1.3.04.jar | xml-apis:xml-apis-ext:1.3.04 | 0 | 19 | |||
| xml-apis-1.3.04.jar | xml-apis:xml-apis:1.3.04 | 0 | 36 | |||
| xml-resolver-1.2.jar | xml-resolver:xml-resolver:1.2 | 0 | 12 | |||
| xmlpull-1.1.3.1.jar | xmlpull:xmlpull:1.1.3.1 | 0 | 9 | |||
| xpp3_min-1.1.4c.jar | xpp3:xpp3_min:1.1.4c | 0 | 12 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-api/pom.xml | com.atlassian.extras:atlassian-extras-api:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-common/pom.xml | com.atlassian.extras:atlassian-extras-common:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-core/pom.xml | com.atlassian.extras:atlassian-extras-core:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-decoder-api/pom.xml | com.atlassian.extras:atlassian-extras-decoder-api:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-decoder-v2/pom.xml | com.atlassian.extras:atlassian-extras-decoder-v2:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-legacy/pom.xml | com.atlassian.extras:atlassian-extras-legacy:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras/pom.xml | com.atlassian.extras:atlassian-extras:2.5 | 0 | 6 | |||
| clover-3.3.0.jar\META-INF/maven/commons-codec/commons-codec/pom.xml | commons-codec:commons-codec:1.5 | 0 | 9 | |||
| clover-3.3.0.jar\META-INF/maven/commons-lang/commons-lang/pom.xml | commons-lang:commons-lang:2.6 | 0 | 9 | |||
| clover-3.3.0.jar\META-INF/maven/com.google.code.gson/gson/pom.xml | com.google.code.gson:gson:1.3 | 0 | 6 | |||
| hazelcast-3.6.2.jar\META-INF/maven/com.hazelcast/hazelcast/pom.xml | cpe:/a:root:root:3.6.2 | com.hazelcast:hazelcast:3.6.2 | 0 | LOW | 7 | |
| hazelcast-3.6.2.jar\META-INF/maven/com.eclipsesource.minimal-json/minimal-json/pom.xml | com.eclipsesource.minimal-json:minimal-json:0.9.2-SNAPSHOT | 0 | 6 | |||
| hazelcast-3.6.2.jar\META-INF/maven/com.hazelcast/hazelcast-client-protocol/pom.xml | com.hazelcast:hazelcast-client-protocol:1.0.0 | 0 | 7 | |||
| cucumber-jvm-deps-1.0.3.jar\META-INF/maven/info.cukes/cucumber-jvm-deps/pom.xml | info.cukes:cucumber-jvm-deps:1.0.3 | 0 | 5 | |||
| cucumber-jvm-deps-1.0.3.jar\META-INF/maven/com.thoughtworks.xstream/xstream/pom.xml | cpe:/a:xstream_project:xstream:1.4.2 | com.thoughtworks.xstream:xstream:1.4.2 | Medium | 2 | LOW | 6 |
| cucumber-jvm-deps-1.0.3.jar\META-INF/maven/com.googlecode.java-diff-utils/diffutils/pom.xml | com.googlecode.java-diff-utils:diffutils:1.2.1 | 0 | 6 | |||
| antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/antlr-complete/pom.xml | org.antlr:antlr-complete:3.5.2 | 0 | 8 | |||
| antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/antlr/pom.xml | org.antlr:antlr:3.5.2 | 0 | 7 | |||
| antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/ST4/pom.xml | org.antlr:ST4:4.0.8 | 0 | 6 | |||
| antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/antlr-runtime/pom.xml |
cpe:/a:python:python:3.5.2
cpe:/a:python_software_foundation:python:3.5.2 |
org.antlr:antlr-runtime:3.5.2 | High | 10 | HIGHEST | 8 |
| antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/gunit/pom.xml | org.antlr:gunit:3.5.2 | 0 | 8 | |||
| antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/stringtemplate/pom.xml | org.antlr:stringtemplate:3.2.1 | 0 | 6 | |||
| webservices-api-2.1.jar\META-INF/maven/org.glassfish.metro/webservices-api/pom.xml | org.glassfish.metro:webservices-api:2.1 | 0 | 7 | |||
| webservices-api-2.1.jar\META-INF/maven/javax.xml.soap/saaj-api/pom.xml | javax.xml.soap:saaj-api:1.3.2 | 0 | 5 | |||
| webservices-api-2.1.jar\META-INF/maven/org.glassfish/javax.annotation/pom.xml | org.glassfish:javax.annotation:3.1-b35 | 0 | 7 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/webservices-rt/pom.xml | org.glassfish.metro:webservices-rt:2.1 | 0 | 7 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/wsit-api/pom.xml | org.glassfish.metro:wsit-api:2.1 | 0 | 7 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-commons/pom.xml | org.glassfish.metro:metro-commons:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-config-api/pom.xml | org.glassfish.metro:metro-config-api:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-runtime-api/pom.xml | org.glassfish.metro:metro-runtime-api:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/soaptcp-api/pom.xml | org.glassfish.metro:soaptcp-api:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-cm-api/pom.xml | cpe:/a:cm_project:cm:2.1 | org.glassfish.metro:metro-cm-api:2.1 | Medium | 1 | LOW | 6 |
| webservices-rt-2.1.jar\META-INF/maven/com.sun.xml.messaging.saaj/saaj-impl/pom.xml | com.sun.xml.messaging.saaj:saaj-impl:1.3.8 | 0 | 7 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.jvnet/mimepull/pom.xml | org.jvnet:mimepull:1.4 | 0 | 7 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.jvnet.staxex/stax-ex/pom.xml | cpe:/a:st_project:st:1.2.1 | org.jvnet.staxex:stax-ex:1.2 | Medium | 1 | LOW | 6 |
| webservices-rt-2.1.jar\META-INF/maven/com.sun.xml.ws/policy/pom.xml | cpe:/a:ws_project:ws:2.2.2 | com.sun.xml.ws:policy:2.2.2 | 0 | LOW | 7 | |
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.ha/ha-api/pom.xml | cpe:/a:fish:fish:3.1.8 | org.glassfish.ha:ha-api:3.1.8 | 0 | LOW | 4 | |
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/wsit-impl/pom.xml | org.glassfish.metro:wsit-impl:2.1 | 0 | 7 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-config-impl/pom.xml | org.glassfish.metro:metro-config-impl:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-runtime-impl/pom.xml | org.glassfish.metro:metro-runtime-impl:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/soaptcp-impl/pom.xml | org.glassfish.metro:soaptcp-impl:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/xmlfilter/pom.xml | org.glassfish.metro:xmlfilter:2.1 | 0 | 6 | |||
| webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/ws-mex/pom.xml | cpe:/a:ws_project:ws:2.1 | org.glassfish.metro:ws-mex:2.1 | 0 | LOW | 6 | |
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jffi/pom.xml | com.github.jnr:jffi:1.2.7 | 0 | 6 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-constants/pom.xml | cpe:/a:values_project:values:0.8.4 | com.github.jnr:jnr-constants:0.8.4 | 0 | LOW | 6 | |
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-enxio/pom.xml | com.github.jnr:jnr-enxio:0.4 | 0 | 6 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-ffi/pom.xml | com.github.jnr:jnr-ffi:1.0.4 | 0 | 6 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-netdb/pom.xml | com.github.jnr:jnr-netdb:1.1.2 | 0 | 6 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-posix/pom.xml | com.github.jnr:jnr-posix:2.5.3-SNAPSHOT | 0 | 5 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-unixsocket/pom.xml | com.github.jnr:jnr-unixsocket:0.3 | 0 | 6 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-x86asm/pom.xml | com.github.jnr:jnr-x86asm:1.0.2 | 0 | 6 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.headius/invokebinder/pom.xml | com.headius:invokebinder:1.2 | 0 | 5 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/com.jcraft/jzlib/pom.xml | cpe:/a:jcraft:jzlib:1.1.2 | com.jcraft:jzlib:1.1.2 | 0 | LOW | 8 | |
| jruby-complete-1.7.4.jar\META-INF/maven/jline/jline/pom.xml | jline:jline:2.7 | 0 | 4 | |||
| jruby-complete-1.7.4.jar\META-INF/maven/joda-time/joda-time/pom.xml | cpe:/a:date_project:date:2.2 | joda-time:joda-time:2.2 | Low | 1 | LOW | 8 |
| jruby-complete-1.7.4.jar\META-INF/maven/org.jruby.joni/joni/pom.xml | cpe:/a:oniguruma_project:oniguruma:2.0.0 | org.jruby.joni:joni:2.0.0 | 0 | LOW | 5 | |
| jruby-complete-1.7.4.jar\META-INF/maven/org.yaml/snakeyaml/pom.xml | org.yaml:snakeyaml:1.11 | 0 | 6 | |||
| jetty-repacked-7.6.1.jar\META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml |
cpe:/a:eclipse:jetty:7.6.1.v20120215
cpe:/a:jetty:jetty:7.6.1.v20120215 |
org.eclipse.jetty:jetty-http:7.6.1.v20120215 | High | 4 | LOW | 6 |
| jetty-repacked-7.6.1.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml | org.eclipse.jetty:jetty-io:7.6.1.v20120215 | 0 | 6 |
File Path: D:\eclipsmy\worplace\saikumysql\saiku-development\saiku-core\saiku-olap-util\target\saiku-olap-util-3.17.jar
MD5: 0dc4f07a7cfe169a4f8e5a0ed4a78c43
SHA1: ecc558e41255126cda402aa6618a3065889975c0
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\eclipsmy\worplace\saikumysql\saiku-development\saiku-core\saiku-service\target\saiku-service-3.17.jar
MD5: 29d1f6c915f7a876cbc9c4503589f330
SHA1: c5042c3ac2a721eaa60710f1c5cf9b1254382cbd
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\eclipsmy\worplace\saikumysql\saiku-development\saiku-core\saiku-web\target\saiku-web-3.17.jar
MD5: 9214e3c9069e3d2bc103a904d8aa9d00
SHA1: ee470ad97bef94af70328dbef04fc1de5523f85c
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.htmlFile Path: D:\maven\repository\antlr\antlr\2.7.7\antlr-2.7.7.jar
Description: AOP Alliance
License:
Public DomainFile Path: D:\maven\repository\aopalliance\aopalliance\1.0\aopalliance-1.0.jar
File Path: D:\maven\repository\asm\asm-attrs\2.2.3\asm-attrs-2.2.3.jar
MD5: f51584eaabd593a890ed13cea1e53d2f
SHA1: 65e5dacf38bd7c6035074c78a03f8d3c94f28f6a
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\asm\asm\3.1\asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\avalon-framework\avalon-framework-api\4.2.0\avalon-framework-api-4.2.0.jar
MD5: c6355b5d948ebd104f9686530a4efc3a
SHA1: 29a13fafd448b8357934283b73785bbab7124e8d
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\avalon-framework\avalon-framework-impl\4.2.0\avalon-framework-impl-4.2.0.jar
MD5: 5c1f8f5c8c6c043538fc4ea038c2aaf6
SHA1: 4da1db18947eb6950abb7ad79253011b9aec0e48
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\bi\meteorite\licenseserver-core\1.0-SNAPSHOT\licenseserver-core-1.0-SNAPSHOT.jar
MD5: c6b459648dbdee6aa45bf9b5a5eac8f3
SHA1: 91facd918cf1ce9328a0a474cdf773fb95330f31
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: A Java SSL component library
License:
Apache License v2: http://juliusdavies.ca/commons-ssl/LICENSE.txtFile Path: D:\maven\repository\ca\juliusdavies\not-yet-commons-ssl\0.3.9\not-yet-commons-ssl-0.3.9.jar
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions:
Description: Code generation library with shaded ASM dependecies
License:
ASF 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\cglib\cglib-nodep\2.2\cglib-nodep-2.2.jar
License:
ASF 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\cglib\cglib\2.2\cglib-2.2.jar
Description: A Java framework to parse command line options with annotations.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\beust\jcommander\1.30\jcommander-1.30.jar
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar
MD5: f56c176f10c30bf97d0ca6a7147b08e9
SHA1: 0611f5503f37cab7b57a4fe02832f0382a7a6240
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\embeddedjars\clover3.3.0\grover.jar
MD5: 12a0d595de6795ca20e690ec97d665c0
SHA1: 817b4654e7e9a6ce563ce65bd5bb648fbb1f8e4e
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
PhantomJSDriver is a Java binding for the PhantomJS WebDriver, GhostDriver.
The binding is developed within the GhostDriver project, and distributed through public Maven repository
and Selenium official .zip package.
License:
The BSD 2-Clause License: http://opensource.org/licenses/BSD-2-ClauseFile Path: D:\maven\repository\com\codeborne\phantomjsdriver\1.2.1\phantomjsdriver-1.2.1.jar
Description: Library for introspecting types with full generic information
including resolving of field and method types.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\fasterxml\classmate\1.0.0\classmate-1.0.0.jar
Description: Core Jackson abstractions, basic JSON streaming API implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\fasterxml\jackson\core\jackson-core\2.5.1\jackson-core-2.5.1.jar
Description: General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\fasterxml\jackson\core\jackson-databind\2.5.1\jackson-databind-2.5.1.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-918 Server-Side Request Forgery (SSRF)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Vulnerable Software & Versions: (show all)
Description: Implementation of various mathematical curves that define themselves over a set of control points. The API is written in Java. The curves supported are: Bezier, B-Spline, Cardinal Spline, Catmull-Rom Spline, Lagrange, Natural Cubic Spline, and NURBS.
License:
BSD License: http://opensource.org/licenses/BSD-3-ClauseFile Path: D:\maven\repository\com\github\virtuald\curvesapi\1.04\curvesapi-1.04.jar
Description: Google Gson library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\google\code\gson\gson\2.3.1\gson-2.3.1.jar
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\google\guava\guava\17.0\guava-17.0.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Vulnerable Software & Versions: (show all)
File Path: D:\maven\repository\com\google\gwt\gwt-servlet\2.5.1\gwt-servlet-2.5.1.jar
MD5: 2b97687f71e3e217ba3cc4b1e739f84a
SHA1: 7b5c8c363c8afea7ba4090166f9c8db35e51b77b
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Guice is a lightweight dependency injection framework for Java 5 and above
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\google\inject\guice\3.0\guice-3.0.jar
Description:
Protocol Buffers are a way of encoding structured data in an efficient yet
extensible format.
License:
New BSD license: http://www.opensource.org/licenses/bsd-license.phpFile Path: D:\maven\repository\com\google\protobuf\protobuf-java\2.4.1\protobuf-java-2.4.1.jar
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
Vulnerable Software & Versions: (show all)
Description: A simple Java toolkit for JSON
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\googlecode\json-simple\json-simple\1.1.1\json-simple-1.1.1.jar
Description: The pseudo-functional collection manipulation library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\googlecode\lambdaj\lambdaj\2.3.3\lambdaj-2.3.3.jar
Description: H2 Database Engine
License:
MPL 2.0, and EPL 1.0: http://h2database.com/html/license.htmlFile Path: D:\maven\repository\com\h2database\h2\1.4.188\h2-1.4.188.jar
Description: Hazelcast In-Memory DataGrid
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\hazelcast\hazelcast-wm\3.6.2\hazelcast-wm-3.6.2.jar
Description: Core Hazelcast Module
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\hazelcast\hazelcast\3.6.2\hazelcast-3.6.2.jar
Description: A Java DSL for synchronizing asynchronous operations
File Path: D:\maven\repository\com\jayway\awaitility\awaitility\1.6.3\awaitility-1.6.3.jar
MD5: 5e90fc070d98a398cdd42351420e3430
SHA1: 2b698080294539741574d9f7532eb46bdc2bc345
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: JSch is a pure Java implementation of SSH2
License:
Revised BSD: http://www.jcraft.com/jsch/LICENSE.txtFile Path: D:\maven\repository\com\jcraft\jsch\0.1.54\jsch-0.1.54.jar
Description: A collection of image processing filters.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: D:\maven\repository\com\jhlabs\filters\2.0.235\filters-2.0.235.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.
Vulnerable Software & Versions:
Description: MarkLogic XML Contentbase Connector for Java (XCC/J)
File Path: D:\maven\repository\com\marklogic\marklogic-xcc\9.0.3\marklogic-xcc-9.0.3.jar
MD5: 7a6705e34bbaf8db48dd808c388257d9
SHA1: 38fe36b3c45aed18c6aeddab1b8ae4e89e908af9
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: OperaDriver is a vendor-supported WebDriver implementation developed by Opera Software and volunteers that implements WebDriver's wire protocol.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\opera\operadriver\1.5\operadriver-1.5.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.9
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
Untrusted search path vulnerability in Opera before 10.62 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory, as demonstrated by a directory that contains a .htm, .mht, .mhtml, .xht, .xhtm, or .xhtl file. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Google Chrome detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Opera before 9.64 allows remote attackers to conduct cross-domain scripting attacks via unspecified vectors related to plug-ins.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
The HTML parsing engine in Opera before 9.63 allows remote attackers to execute arbitrary code via crafted web pages that trigger an invalid pointer calculation and heap corruption.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The links panel in Opera before 9.62 processes Javascript within the context of the "outermost page" of a frame, which allows remote attackers to inject arbitrary web script or HTML via cross-site scripting (XSS) attacks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Opera before 9.62 allows remote attackers to execute arbitrary commands via the History Search results page, a different vulnerability than CVE-2008-4696.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor identifier (aka the "optional fragment"), which is not properly escaped before storage in the History Search database (aka md.dat).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-200 Information Exposure
Opera before 9.60 allows remote attackers to obtain sensitive information and have unspecified other impact by predicting the cache pathname of a cached Java applet and then launching this applet from the cache, leading to applet execution within the local-machine context.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Opera before 9.52 on Windows, when registered as a protocol handler, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors in which Opera is launched by other applications.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Opera allows web sites to set cookies for country-specific top-level domains that have DNS A records, such as co.tv, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking."
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Opera before 9.51 on Windows allows attackers to execute arbitrary code via unknown vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Opera before 9.27 has unknown impact and attack vectors related to "keyboard handling of password inputs."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted newsfeed source, which triggers an invalid memory access.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Opera, probably before 7.50, sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data.
Vulnerable Software & Versions:
Description: The launchers are used for starting, stopping and monitoring of Opera.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\opera\operalaunchers\1.1\operalaunchers-1.1.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.9
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
Untrusted search path vulnerability in Opera before 10.62 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory, as demonstrated by a directory that contains a .htm, .mht, .mhtml, .xht, .xhtm, or .xhtl file. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Google Chrome detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Opera before 9.64 allows remote attackers to conduct cross-domain scripting attacks via unspecified vectors related to plug-ins.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
The HTML parsing engine in Opera before 9.63 allows remote attackers to execute arbitrary code via crafted web pages that trigger an invalid pointer calculation and heap corruption.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The links panel in Opera before 9.62 processes Javascript within the context of the "outermost page" of a frame, which allows remote attackers to inject arbitrary web script or HTML via cross-site scripting (XSS) attacks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Opera before 9.62 allows remote attackers to execute arbitrary commands via the History Search results page, a different vulnerability than CVE-2008-4696.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor identifier (aka the "optional fragment"), which is not properly escaped before storage in the History Search database (aka md.dat).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-200 Information Exposure
Opera before 9.60 allows remote attackers to obtain sensitive information and have unspecified other impact by predicting the cache pathname of a cached Java applet and then launching this applet from the cache, leading to applet execution within the local-machine context.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Opera before 9.52 on Windows, when registered as a protocol handler, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors in which Opera is launched by other applications.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Opera allows web sites to set cookies for country-specific top-level domains that have DNS A records, such as co.tv, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking."
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Opera before 9.51 on Windows allows attackers to execute arbitrary code via unknown vectors.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Opera before 9.27 has unknown impact and attack vectors related to "keyboard handling of password inputs."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted newsfeed source, which triggers an invalid memory access.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Opera, probably before 7.50, sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data.
Vulnerable Software & Versions:
File Path: D:\maven\repository\com\opera\operalaunchers\1.1\operalaunchers-1.1.jar\launchers\launcher-win32-i86pc.exe
MD5: 471167643016e8b2f444e8f5ca380af1
SHA1: d3a503274506205ef5781b14cf26f0c08997d591
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: OrientDB NoSQL document graph dbms
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\orientechnologies\orient-commons\1.3.0\orient-commons-1.3.0.jar
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
Vulnerable Software & Versions: (show all)
Description: OrientDB NoSQL document graph dbms
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\orientechnologies\orientdb-core\1.3.0\orientdb-core-1.3.0.jar
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
Vulnerable Software & Versions: (show all)
File Path: D:\maven\repository\com\qmino\miredot-annotations\1.3.1\miredot-annotations-1.3.1.jar
MD5: 8368756e5edb02d84c3076365cf4b202
SHA1: 01a7e6be5cc82a7bfc10bb17b1ed4d1aa16e095b
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Projects that provide additional functionality to jersey, like integration with other projects/frameworks.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\com\sun\jersey\contribs\jersey-apache-client\1.19.1\jersey-apache-client-1.19.1.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in an unspecified Oracle Client utility might allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DBC02 from the January 2006 CPU, in which case this would be a duplicate of CVE-2006-0283. However, there are enough inconsistencies that the mapping can not be made authoritatively.
Vulnerable Software & Versions:
Description: Projects that provide additional functionality to jersey, like integration with other projects/frameworks.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\com\sun\jersey\contribs\jersey-multipart\1.19\jersey-multipart-1.19.jar
Description: Projects that provide additional functionality to jersey, like integration with other projects/frameworks.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\com\sun\jersey\contribs\jersey-spring\1.19\jersey-spring-1.19.jar
Description: Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\com\sun\jersey\jersey-core\1.19\jersey-core-1.19.jar
Description: JAXB (JSR 222) reference implementation
License:
CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\com\sun\xml\bind\jaxb-impl\2.2.3-1\jaxb-impl-2.2.3-1.jar
File Path: D:\maven\repository\com\thoughtworks\paranamer\paranamer\2.4\paranamer-2.4.jar
MD5: 4bb9f5ba9cd794549665d35c754cf313
SHA1: af1cfb89b2d528fc083e1128cb1a6b67c755749c
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: XStream is a serialization library from Java objects to XML and back.
License:
http://xstream.codehaus.org/license.htmlFile Path: D:\maven\repository\com\thoughtworks\xstream\xstream\1.4.5\xstream-1.4.5.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Vulnerable Software & Versions:
File Path: D:\maven\repository\commons-beanutils\commons-beanutils-core\1.8.3\commons-beanutils-core-1.8.3.jar
MD5: 944f66e681239c8353e8497920f1e5d3
SHA1: 75812698e5e859f2cb587c622c4cdfcd61676426
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
Description: Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-beanutils\commons-beanutils\1.9.3\commons-beanutils-1.9.3.jar
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-cli\commons-cli\1.2\commons-cli-1.2.jar
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-codec\commons-codec\1.9\commons-codec-1.9.jar
Description: Types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-collections\commons-collections\3.2.1\commons-collections-3.2.1.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Vulnerable Software & Versions: (show all)
Description: Commons Database Connection Pooling
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-dbcp\commons-dbcp\1.4\commons-dbcp-1.4.jar
Description: The Digester package lets you configure an XML->Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: D:\maven\repository\commons-digester\commons-digester\1.8\commons-digester-1.8.jar
Description:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-fileupload\commons-fileupload\1.3.3\commons-fileupload-1.3.3.jar
File Path: D:\maven\repository\commons-httpclient\commons-httpclient\20020423\commons-httpclient-20020423.jar
MD5: 8e4e15958e9c9401b6d7d47ba4337274
SHA1: 12eedf03e564f55595e6c422b67a04bdcc494161
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-io\commons-io\2.4\commons-io-2.4.jar
Description: A Java-based implementation of XPath 1.0 that, in addition to XML processing, can inspect/modify Java object graphs (the library's explicit purpose) and even mixed Java/XML structures.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-jxpath\commons-jxpath\1.3\commons-jxpath-1.3.jar
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-lang\commons-lang\2.4\commons-lang-2.4.jar
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar
Description: The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\commons-math\commons-math\1.2\commons-math-1.2.jar
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: D:\maven\repository\commons-net\commons-net\1.4.1\commons-net-1.4.1.jar
Description: Commons Object Pooling Library
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: D:\maven\repository\commons-pool\commons-pool\1.4\commons-pool-1.4.jar
Description: VFS is a Virtual File System library.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: D:\maven\repository\commons-vfs\commons-vfs\1.0\commons-vfs-1.0.jar
License:
Public domain, Sun Microsoystems: >http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.htmlFile Path: D:\maven\repository\concurrent\concurrent\1.3.4\concurrent-1.3.4.jar
License:
MIT License: http://www.opensource.org/licenses/MITFile Path: D:\maven\repository\de\codecentric\jbehave-junit-runner\1.2.0\jbehave-junit-runner-1.2.0.jar
Description: dom4j: the flexible XML framework for Java
File Path: D:\maven\repository\dom4j\dom4j\1.6.1\dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Vulnerable Software & Versions: (show all)
Description: Type-safe access to Java system properties.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\eigenbase\eigenbase-properties\1.1.4\eigenbase-properties-1.1.4.jar
Description: Generator of type-safe wrappers for Java resource files.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\eigenbase\eigenbase-resgen\1.3.5\eigenbase-resgen-1.3.5.jar
Description: XML object model for Java.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\eigenbase\eigenbase-xom\1.3.4\eigenbase-xom-1.3.4.jar
Description: Lightweight 100% Java SQL Database Engine
License:
HSQLDB License: http://hsqldb.org/web/hsqlLicense.htmlFile Path: D:\maven\repository\hsqldb\hsqldb\1.8.0.10\hsqldb-1.8.0.10.jar
File Path: D:\maven\repository\info\cukes\cucumber-core\1.2.2\cucumber-core-1.2.2.jar
MD5: 9ace62243d13e65dfc9fa99b1745cd11
SHA1: c3b855da913bd04481708246cdf06c1ed5cb3c2d
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Cucumber-HTML is a cross-platform HTML formatter for all the Cucumber implementations.
License:
MIT License: http://www.opensource.org/licenses/mit-licenseFile Path: D:\maven\repository\info\cukes\cucumber-html\0.2.3\cucumber-html-0.2.3.jar
File Path: D:\maven\repository\info\cukes\cucumber-jvm-deps\1.0.3\cucumber-jvm-deps-1.0.3.jar
MD5: ea704dbb8932b59b4f1e0a7fe6119009
SHA1: cccdeff234db8b12e91ae2529812f1240b4d5603
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Pure Java Gherkin
License:
MIT License: http://www.opensource.org/licenses/mit-licenseFile Path: D:\maven\repository\info\cukes\gherkin\2.12.2\gherkin-2.12.2.jar
Description: Java client for Appium Mobile Webdriver
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\io\appium\java-client\2.1.0\java-client-2.1.0.jar
Description:
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: D:\maven\repository\io\netty\netty\3.5.2.Final\netty-3.5.2.Final.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Vulnerable Software & Versions: (show all)
Description: Artifactory auto generated POM
File Path: D:\maven\repository\iText\iText\4.2.0\iText-4.2.0.jar
MD5: b2c1f84b9960ba3cc336ef25a4fa3c65
SHA1: 2a4eeddf409b2f054bd66c796f680f01ca8ede62
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
simple. It is a class library for editing bytecodes in Java.
License:
MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.htmlFile Path: D:\maven\repository\javassist\javassist\3.12.1.GA\javassist-3.12.1.GA.jar
Description:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: D:\maven\repository\javax\activation\activation\1.1\activation-1.1.jar
Description: Java.net - The Source for Java Technology Collaboration
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: D:\maven\repository\javax\el\javax.el-api\2.2.4\javax.el-api-2.2.4.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description: The javax.inject API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\javax\inject\javax.inject\1\javax.inject-1.jar
Description:
The Content Repository API for JavaTM Technology Version 2.0 is specified by JSR-283.
This module contains the complete API as specified.
File Path: D:\maven\repository\javax\jcr\jcr\2.0\jcr-2.0.jar
MD5: ede5e78b16c8ed298ce0b6d296584ebd
SHA1: 08297216bcfe4aea369ed6ee0d1718133f752e97
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
Vulnerable Software & Versions:
Description: JavaMail API (compat)
License:
http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\javax\mail\mail\1.4.7\mail-1.4.7.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Vulnerable Software & Versions:
Description: Java(TM) Servlet 3.1 API Design Specification
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: D:\maven\repository\javax\servlet\javax.servlet-api\3.1.0\javax.servlet-api-3.1.0.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
File Path: D:\maven\repository\javax\servlet\jstl\1.2\jstl-1.2.jar
MD5: 51e15f798e69358cb893e38c50596b9b
SHA1: 74aca283cd4f4b4f3e425f5820cda58f44409547
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.
File Path: D:\maven\repository\javax\transaction\jta\1.1\jta-1.1.jar
MD5: 82a10ce714f411b28f13850059de09ee
SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
Bean Validation API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\javax\validation\validation-api\1.1.0.Final\validation-api-1.1.0.Final.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Bean module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the bean title.
Vulnerable Software & Versions: (show all)
License:
CDDL License
: http://www.opensource.org/licenses/cddl1.php
File Path: D:\maven\repository\javax\ws\rs\jsr311-api\1.1.1\jsr311-api-1.1.1.jarDescription:
JAXB (JSR 222) API
License:
CDDL 1.1: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\javax\xml\bind\jaxb-api\2.2.2\jaxb-api-2.2.2.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description:
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.htmlFile Path: D:\maven\repository\javax\xml\stream\stax-api\1.0-2\stax-api-1.0-2.jar
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\joda-time\joda-time\2.7\joda-time-2.7.jar
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.
Vulnerable Software & Versions:
File Path: D:\maven\repository\jug-lgpl\jug-lgpl\2.0.0\jug-lgpl-2.0.0.jar
MD5: 27e15d9c1de3614f5e7aee0fe891d470
SHA1: ea83645d04e1a31126b83e8ef0e372803d0356e1
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Log4j
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\log4j\log4j\1.2.14\log4j-1.2.14.jar
File Path: D:\maven\repository\mx4j\mx4j-tools\3.0.1\mx4j-tools-3.0.1.jar
MD5: 5f345ad6d9caf2d074df1c7dba35c6c6
SHA1: df853af9fe34d4eb6f849a1b5936fddfcbe67751
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: MySQL JDBC Type 4 driver
License:
The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlFile Path: D:\maven\repository\mysql\mysql-connector-java\5.1.17\mysql-connector-java-5.1.17.jar
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.2
(AV:L/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Roles). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Information Schema). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Shell: Core / Client). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 2.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Roles). Supported versions that are affected are 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Audit Log). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.60 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: C API). Supported versions that are affected are 5.7.18 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: X Plugin). Supported versions that are affected are 5.7.16 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: X Plugin). Supported versions that are affected are 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to cause a denial of service via a crafted authentication packet.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: UDF). Supported versions that are affected are 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.7.17 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API). Supported versions that are affected are 5.7.17 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Plug-in). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.35 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Thread Pooling). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.7.16 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS v3.0 Base Score 2.4 (Confidentiality impacts).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: X Plugin). Supported versions that are affected are 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS v3.0 Base Score 3.1 (Confidentiality impacts).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.0
(AV:L/AC:H/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.0 (Confidentiality impacts).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5
(AV:L/AC:M/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Logging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.0 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5
(AV:L/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.7 (Confidentiality impacts).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:L/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-254 Security Features
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.7 (Confidentiality, Integrity and Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.3
(AV:N/AC:M/Au:S/C:C/I:N/A:N)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API). Supported versions that are affected are 5.5.55 and earlier and 5.6.35 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue allows man-in-the-middle attackers to hijack the authentication of users by leveraging incorrect ordering of security parameter verification in a client, aka, "The Riddle".
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x before 5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29, 10.1.x through 10.1.21, and 10.2.x through 10.2.3.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:L/AC:H/Au:S/C:P/I:P/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-485 Insufficient Encapsulation
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.34 and earlier5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.16 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.9 (Availability impacts).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.53 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.4 (Availability impacts).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Group Replication GCS). Supported versions that are affected are 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: FTS). Supported versions that are affected are 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Stored Procedure). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.4 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.8 (Availability impacts).
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Performance Schema, a different vulnerability than CVE-2016-5633.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.3
(AV:L/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows local users to affect integrity and availability via vectors related to Server: InnoDB.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-284 Improper Access Control
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect integrity via vectors related to Server: InnoDB Plugin.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Replication.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows remote authenticated users to affect confidentiality via vectors related to Server: Security: Privileges.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.2
(AV:L/AC:H/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.13 and earlier allows local users to affect availability via vectors related to Server: Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Security: Audit.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to RBR.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Performance Schema, a different vulnerability than CVE-2016-8290.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Memcached.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: DML.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.4
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Packaging.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.2
(AV:L/AC:H/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows local users to affect availability via vectors related to Server: Connection.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Security: Encryption.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Replication.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Log.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote authenticated users to affect integrity and availability via vectors related to Server: InnoDB.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Optimizer.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Locking.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Performance Schema.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Partition.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Optimizer.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Optimizer.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect confidentiality via vectors related to JSON.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0654.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0656.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to FTS.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.21 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0503.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0504.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:N/AC:H/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Replication.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client programs.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to RBR.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Firewall, a different vulnerability than CVE-2015-4767.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.7
(AV:N/AC:H/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Firewall, a different vulnerability than CVE-2015-4769.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-0439.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.20 and earlier allows remote authenticated users to affect availability via unknown vectors related to Types.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows local users to affect availability via unknown vectors related to Client.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Firewall.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Partition.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : SP.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-0506.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2015-0508.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.7
(AV:N/AC:H/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-4756.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to XA.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB FULLTEXT SEARCH DML.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:DDL.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect integrity and availability via vectors related to SERVER:SP.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to ENFED.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6
(AV:L/AC:L/Au:N/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows local users to affect confidentiality and integrity via vectors related to SRREP.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRREP.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
(AV:N/AC:L/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRSP.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to ENARC.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRFTS.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to MyISAM.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote attackers to affect availability via unknown vectors related to Thread Pooling.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5881.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via vectors related to FTS.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
(AV:N/AC:L/Au:M/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedures.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2014-0431.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5786.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5793.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:N/AC:H/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3806.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to XA Transactions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Audit Log.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:H/Au:N/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Server Privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3811.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Prepared Statements.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect integrity and availability via unknown vectors related to MemCached.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Parser.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language, a different vulnerability than CVE-2013-1567.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.0
(AV:L/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to Server Install.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server Privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote attackers to affect availability via unknown vectors related to MemCached.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language, a different vulnerability than CVE-2013-2395.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5.29 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.63 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Types.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.8
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5
(AV:L/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.9 and earlier allows local users to affect availability via unknown vectors related to Server Partition.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.30, has unspecified impact and attack vectors, a different vulnerability than CVE-2012-0553.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.6
(AV:L/AC:L/Au:N/C:C/I:C/A:N)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows local users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote attackers to affect availability via unknown vectors related to Server Locking.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and earlier allows remote authenticated users to affect availability, related to MyISAM.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and earlier allows remote authenticated users with Server Privileges to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.65 and earlier and 5.5.27 and earlier allows remote authenticated users to affect availability, related to GIS Extension.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB Plugin.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows local users to affect confidentiality via unknown vectors related to Server Installation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Protocol.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote authenticated users to affect confidentiality, related to MySQL Client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote attackers to affect integrity and availability, related to MySQL Client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.1.x before 5.1.63 and 5.5.x before 5.5.24 allows remote authenticated users to cause a denial of service (mysqld crash) via vectors related to incorrect calculation and a sort order index.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
MySQL 5.1.x before 5.1.62 and 5.5.x before 5.5.22 allows remote authenticated users to cause a denial of service (assertion failure and mysqld abort) by deleting a record and using HANDLER READ NEXT.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1690.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote attackers to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.19 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1703.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.5.20 and possibly other versions including 5.5.x before 5.5.22 and 5.1.x before 5.1.62, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VulnDisco Pack Professional 9.17. NOTE: as of 20120224, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. NOTE: due to lack of details, it is not clear whether this issue is a duplicate of CVE-2012-0492 or another CVE.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.60 and earlier, and 5.5.19 and earlier, allows remote authenticated users to affect availability, related to MyISAM.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.28, has unspecified impact and attack vectors, a different vulnerability than CVE-2013-1492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier and 5.5.23 and earlier allows remote authenticated users to affect availability, related to GIS Extension.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:N/AC:H/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.0
(AV:L/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:P/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0101.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0102.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.7
(AV:N/AC:H/Au:M/C:N/I:P/A:N)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect integrity via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL 5.1 before 5.1.51 allows remote authenticated users to cause a denial of service (server crash) by calling the PolyFromWKB function with Well-Known Binary (WKB) data containing a crafted number of (1) line strings or (2) line points.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (infinite loop) via multiple invocations of a (1) prepared statement or (2) stored procedure that creates a query with nested JOIN statements.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a query that uses the (1) GREATEST or (2) LEAST function with a mixed list of numeric and LONGBLOB arguments, which is not properly handled when the function's result is "processed using an intermediate temporary table."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier, probably triggering a use-after-free error when a copied object is modified in a way that also affects the original object.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (assertion failure and server crash) via vectors related to view preparation, pre-evaluation of LIKE predicates, and IN Optimizers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (mysqld server crash) by performing a user-variable assignment in a logical expression that is calculated and stored in a temporary table for GROUP BY, then causing the expression value to be used after the table is created, which causes the expression to be re-evaluated instead of accessing its value from the table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via vectors related to "materializing a derived table that required a temporary table for grouping" and "user variable assignments."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2) GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet when a LOAD DATA INFILE request generates SQL errors, which allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a crafted request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using the HANDLER interface and performing "alternate reads from two indexes on a table," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by creating temporary tables with nullable columns while using InnoDB, which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via certain arguments to the BINLOG command, which triggers an access of uninitialized memory, as demonstrated by valgrind.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (crash) via (1) IN or (2) CASE operations with NULL arguments that are explicitly specified or indirectly provided by the WITH ROLLUP modifier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
storage/innobase/dict/dict0crea.c in mysqld in Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (assertion failure) by modifying the (1) innodb_file_format or (2) innodb_file_per_table configuration parameters for the InnoDB storage engine, then executing a DDL statement.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6
(AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.4
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-134 Uncontrolled Format String
MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The federated engine in MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4, when performing a certain SHOW TABLE STATUS query, allows remote MySQL servers to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
MySQL 5.1.x before 5.1.23 and 6.0.x before 6.0.4 allows remote authenticated users to gain privileges on arbitrary tables via unspecified vectors involving use of table-level DATA DIRECTORY and INDEX DIRECTORY options when creating a partitioned table with the same name as a table on which the user lacks privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
MySQL before 5.1.18 allows remote authenticated users without SELECT privileges to obtain sensitive information from partitioned tables via an ALTER TABLE statement.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
Vulnerable Software & Versions: (show all)
Description: Java Native Access Platform
License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html ASL, version 2: http://www.apache.org/licenses/File Path: D:\maven\repository\net\java\dev\jna\jna-platform\4.1.0\jna-platform-4.1.0.jar
Description: Java Native Access
License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html ASL, version 2: http://www.apache.org/licenses/File Path: D:\maven\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar
File Path: D:\maven\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: 06b2f1f909d2436dff20d7a668ef26a9
SHA1: bd1bdda9a91f3b0d9067e323f7394bef933f81f6
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\net\java\dev\jna\jna\4.1.0\jna-4.1.0.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: 05a72ada9247aeb114a9ef01a394b6c4
SHA1: 8b32cc82740fc62afdf5ea211f1ca8bb72269bbf
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\net\jcip\jcip-annotations\1.0\jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Serenity core libraries
License:
The Apache Software License, Version 2.0: http://www.apache.org/license/LICENSE-2.0.txtFile Path: D:\maven\repository\net\serenity-bdd\serenity-core\1.0.58\serenity-core-1.0.58.jar
Description: Serenity JBehave integration
License:
The Apache Software License, Version 2.0: http://www.apache.org/license/LICENSE-2.0.txtFile Path: D:\maven\repository\net\serenity-bdd\serenity-jbehave\1.0.23\serenity-jbehave-1.0.23.jar
Description: Serenity Report templates
License:
The Apache Software License, Version 2.0: http://www.apache.org/license/LICENSE-2.0.txtFile Path: D:\maven\repository\net\serenity-bdd\serenity-report-resources\1.0.58\serenity-report-resources-1.0.58.jar
Description: This is the ehcache core module. Pair it with other modules for added functionality.
License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txtFile Path: D:\maven\repository\net\sf\ehcache\ehcache-core\2.5.1\ehcache-core-2.5.1.jar
File Path: D:\maven\repository\net\sf\ehcache\ehcache-core\2.5.1\ehcache-core-2.5.1.jar\net\sf\ehcache\pool\sizeof\sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: A simple library for CVS reading and writing in Java
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\net\sf\opencsv\opencsv\2.0\opencsv-2.0.jar
Description:
Scannotation is a Java library that creates an annotation database from a set of .class files
License:
Apache License V2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\net\sf\scannotation\scannotation\1.0.2\scannotation-1.0.2.jar
Description: A CSS parser which implements SAC (the Simple API for CSS).
License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl.txtFile Path: D:\maven\repository\net\sourceforge\cssparser\cssparser\0.9.16\cssparser-0.9.16.jar
Description:
HtmlCleaner is an HTML parser written in Java. It transforms dirty HTML to well-formed XML following
the same rules that most web-browsers use.
License:
BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: D:\maven\repository\net\sourceforge\htmlcleaner\htmlcleaner\2.10\htmlcleaner-2.10.jar
Description:
HtmlUnit adaptation of Mozilla Rhino Javascript engine for Java.
Changes are documented by a diff (rhinoDiff.txt) contained in the generated jar files.
License:
Mozilla Public License version 2.0: http://www.mozilla.org/MPL/2.0/File Path: D:\maven\repository\net\sourceforge\htmlunit\htmlunit-core-js\2.17\htmlunit-core-js-2.17.jar
Description: A headless browser intended for use in testing web-based applications.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\net\sourceforge\htmlunit\htmlunit\2.17\htmlunit-2.17.jar
Description: JExcelApi is a java library which provides the ability to read, write, and modify Microsoft Excel spreadsheets.
License:
GNU Lesser General Public License: http://www.opensource.org/licenses/lgpl-license.phpFile Path: D:\maven\repository\net\sourceforge\jexcelapi\jxl\2.6.12\jxl-2.6.12.jar
Description: An HTML parser and tag balancer.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\net\sourceforge\nekohtml\nekohtml\1.9.15\nekohtml-1.9.15.jar
Description: OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects.
License:
BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: D:\maven\repository\ognl\ognl\2.6.9\ognl-2.6.9.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Vulnerable Software & Versions: (show all)
File Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar
MD5: acfa69f928a0f1653555bda73091efca
SHA1: 7abf224f627594a3f4ae37fcfff296730f3f4edd
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\apache\ant\ant-launcher\1.7.1\ant-launcher-1.7.1.jar
MD5: b3a74162cefb389f8d3ee3f1324fb533
SHA1: a9cbbcefbbb5e7f97596045268243a8c1c7aafca
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Apache Ant
File Path: D:\maven\repository\org\apache\ant\ant\1.7.1\ant-1.7.1.jar
MD5: ef62988c744551fb51f330eaa311bfc0
SHA1: 1d33711018e7649a8427fff62a87f94f4e7d310f
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Core Parts of Axis 2.0. This includes Axis 2.0 engine, Client API, Addressing support, etc.,
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\axis2\axis2-kernel\1.5\axis2-kernel-1.5.jar
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-255 Credentials Management
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Vulnerable Software & Versions: (show all)
Description: The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\commons\commons-collections4\4.1\commons-collections4-4.1.jar
Description:
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\commons\commons-compress\1.4.1\commons-compress-1.4.1.jar
Description: Apache Commons Exec is a library to reliably execute external processes from within the JVM.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\commons\commons-exec\1.3\commons-exec-1.3.jar
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\commons\commons-lang3\3.3.2\commons-lang3-3.3.2.jar
Description: Apache Commons VFS is a Virtual File System library.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\commons\commons-vfs2\2.1-20150824\commons-vfs2-2.1-20150824.jar
Description: Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
File Path: D:\maven\repository\org\apache\derby\derby\10.5.3.0_1\derby-10.5.3.0_1.jar
MD5: 62528ed70e599cbd624f08e6ccb5d90f
SHA1: 0b0146dd76c2601a5a0632dd2e0b3b85e5b1b713
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: OSGi Service Platform Release 4 Core Interfaces and Classes.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\felix\org.osgi.core\1.0.0\org.osgi.core-1.0.0.jar
Description:
Apache HttpComponents Client
File Path: D:\maven\repository\org\apache\httpcomponents\httpclient\4.5.5\httpclient-4.5.5.jar
MD5: 97e7e5b135476b7d25a5ab31e1ea4922
SHA1: 1603dfd56ebcd583ccdf337b6c3984ac55d89e58
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
HttpComponents Core (blocking I/O)
File Path: D:\maven\repository\org\apache\httpcomponents\httpcore\4.3-alpha1\httpcore-4.3-alpha1.jar
MD5: 3ec9ed2f677f49db2b1a806586c443d5
SHA1: 21a828e4848b9cf8fdf722841f09488f4f699873
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
Apache HttpComponents HttpClient - MIME coded entities
File Path: D:\maven\repository\org\apache\httpcomponents\httpmime\4.4.1\httpmime-4.4.1.jar
MD5: 678b75d71032e823480a41123b6b3ce2
SHA1: 2f8757f5ac5e38f46c794e5229d1f3c522e9b1df
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Jackrabbit content repository implementation
File Path: D:\maven\repository\org\apache\jackrabbit\jackrabbit-core\2.16.1\jackrabbit-core-2.16.1.jar
MD5: b7e5c741d48dd4ba02aea2bfffff519c
SHA1: c9926e85ec098e6fcf5fcd92706092ef8223512b
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Jackrabbit DataStore Implentations
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\jackrabbit\jackrabbit-data\2.10.0\jackrabbit-data-2.10.0.jar
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Vulnerable Software & Versions: (show all)
Description: This bundle is the main Karaf launcher. It's responsible of the Karaf startup including
the console, branding, etc bootstrap.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\karaf\org.apache.karaf.main\3.0.3\org.apache.karaf.main-3.0.3.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-284 Improper Access Control
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.
Vulnerable Software & Versions: (show all)
Description: Apache Lucene Java Core
File Path: D:\maven\repository\org\apache\lucene\lucene-core\3.6.0\lucene-core-3.6.0.jar
MD5: 183a82e9c391a1d2174f2cd327bdef1f
SHA1: 8a0429de6b7c9918841fa2c441a6ef4cc07f2a18
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\pdfbox\fontbox\2.0.4\fontbox-2.0.4.jar
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php.
Vulnerable Software & Versions:
Description: The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\pdfbox\pdfbox-app\2.0.0\pdfbox-app-2.0.0.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Vulnerable Software & Versions: (show all)
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\poi\poi-scratchpad\3.15\poi-scratchpad-3.15.jar
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\poi\poi\3.17\poi-3.17.jar
Description:
Apache Santuario supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. As of version 1.4,
the Java library supports the standard Java API JSR-105: XML Digital
Signature APIs.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\santuario\xmlsec\1.4.4\xmlsec-1.4.4.jar
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
includes the core facades for the Tika API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\tika\tika-core\1.17\tika-core-1.17.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Vulnerable Software & Versions: (show all)
Description: XmlBeans main jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\xmlbeans\xmlbeans\2.6.0\xmlbeans-2.6.0.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\xmlgraphics\batik-css\1.8\batik-css-1.8.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Description: Batik Extension Support
File Path: D:\maven\repository\org\apache\xmlgraphics\batik-extension\1.9\batik-extension-1.9.jar
MD5: 12b4dc000de1ffaebdd02a17369b9e56
SHA1: 2e1f5d9da672694274cb0f623f0011199aa57ef2
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Vulnerable Software & Versions: (show all)
Description: Apache FOP (Formatting Objects Processor) is the world's first print formatter driven by XSL formatting objects (XSL-FO) and the world's first output independent formatter. It is a Java application that reads a formatting object (FO) tree and renders the resulting pages to a specified output. Output formats currently supported include PDF, PCL, PS, AFP, TIFF, PNG, SVG, XML (area tree representation), Print, AWT and TXT. The primary output target is PDF.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\xmlgraphics\fop\2.2\fop-2.2.jar
Description:
Apache XML Graphics Commons is a library that consists of several reusable
components used by Apache Batik and Apache FOP. Many of these components
can easily be used separately outside the domains of SVG and XSL-FO.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\apache\xmlgraphics\xmlgraphics-commons\2.2\xmlgraphics-commons-2.2.jar
Description: asciidoctor-java-integration is a java binding to Asciidoctor gem.
License:
Apache License Version 2.0File Path: D:\maven\repository\org\asciidoctor\asciidoctor-java-integration\0.1.3\asciidoctor-java-integration-0.1.3.jar
Description: The runtime needed to execute a program using AspectJ
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: D:\maven\repository\org\aspectj\aspectjrt\1.6.6\aspectjrt-1.6.6.jar
Description: The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.7. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: D:\maven\repository\org\bouncycastle\bcpkix-jdk15on\1.48\bcpkix-jdk15on-1.48.jar
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
File Path: D:\maven\repository\org\codehaus\groovy\groovy-all\2.3.3\groovy-all-2.3.3.jar
MD5: 998b6987c8a51273f5abb7680a3eeab7
SHA1: 2ca73750564253964c70b396b6b5fda54a743f04
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Vulnerable Software & Versions: (show all)
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
File Path: D:\maven\repository\org\codehaus\groovy\groovy\2.3.9\groovy-2.3.9.jar
MD5: db03ce6c30d568c0ce055de65d6cf15a
SHA1: 1ed2b75409d009327e7d1acf205e1c0401078ad5
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Vulnerable Software & Versions: (show all)
Description: Jackson is a high-performance JSON processor (parser, generator)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\codehaus\jackson\jackson-core-asl\1.9.2\jackson-core-asl-1.9.2.jar
Description: Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: D:\maven\repository\org\codehaus\jackson\jackson-xc\1.9.2\jackson-xc-1.9.2.jar
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Vulnerable Software & Versions: (show all)
Description: A StAX implementation for JSON.
File Path: D:\maven\repository\org\codehaus\jettison\jettison\1.2\jettison-1.2.jar
MD5: 4661a5152aa90f104948bdc78fdf255c
SHA1: 0765a6181653f4b05c18c7a9e8f5c1f8269bf9b2
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: A collection of various utility classes to ease working with strings, files, command lines, XML and
more.
File Path: D:\maven\repository\org\codehaus\plexus\plexus-utils\3.0.10\plexus-utils-3.0.10.jar
MD5: b8e14dd6e93c8f34888846dcac492160
SHA1: 65e6460a49460d2ca038f8644ff9ae6d878733b8
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Administrative parent pom for Jetty modules
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: D:\maven\repository\org\eclipse\jetty\jetty-io\9.2.11.v20150529\jetty-io-9.2.11.v20150529.jar
Description: Utility classes for Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: D:\maven\repository\org\eclipse\jetty\jetty-util\8.1.15.v20140411\jetty-util-8.1.15.v20140411.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Handling
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Vulnerable Software & Versions: (show all)
Description: Administrative parent pom for Jetty modules
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: D:\maven\repository\org\eclipse\jetty\websocket\websocket-api\9.2.11.v20150529\websocket-api-9.2.11.v20150529.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Handling
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Vulnerable Software & Versions: (show all)
Description: Core of FluentLenium
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\fluentlenium\fluentlenium-core\0.10.2\fluentlenium-core-0.10.2.jar
Description: FontBox is a Java font library used to obtain low level information from font files.
License:
BSD: http://www.fontbox.org/license.htmlFile Path: D:\maven\repository\org\fontbox\fontbox\0.1.0\fontbox-0.1.0.jar
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php.
Vulnerable Software & Versions:
Description:
FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
License:
Apache License, Version 2.0: http://freemarker.org/LICENSE.txtFile Path: D:\maven\repository\org\freemarker\freemarker\2.3.21\freemarker-2.3.21.jar
File Path: D:\maven\repository\org\glassfish\metro\webservices-api\2.1\webservices-api-2.1.jar
MD5: ad7769c36cda829c51fb65f7c71b682f
SHA1: 7260dedfcdd0675821658b0bd9c8082814188ec9
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar
MD5: 694908af81368ffd291abdca6d5414fb
SHA1: 71abd9b6d551da067e4614177fdfd3dc5509bbd3
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Java.net - The Source for Java Technology Collaboration
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: D:\maven\repository\org\glassfish\web\javax.el\2.2.4\javax.el-2.2.4.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description:
QDox is a high speed, small footprint parser for extracting class/interface/method definitions from source files
complete with JavaDoc @tags. It is designed to be used by active code generators or documentation tools.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\hamcrest\hamcrest-all\1.3\hamcrest-all-1.3.jar
Description:
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: D:\maven\repository\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
Provides integration between Hamcrest and other testing tools, including JUnit (3 and 4), TestNG, jMock and EasyMock.
File Path: D:\maven\repository\org\hamcrest\hamcrest-integration\1.3\hamcrest-integration-1.3.jar
MD5: c145982b549171841ead95bd2fee78ce
SHA1: 5de0c73fef18917cd85d0ab70bb23818685e4dfd
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
Hamcrest library of matcher implementations.
File Path: D:\maven\repository\org\hamcrest\hamcrest-library\1.3\hamcrest-library-1.3.jar
MD5: 110ad2ea84f7031a1798648b6b318e79
SHA1: 4785a3c21320980282f9f33d0d1264a69040538f
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Common reflection code used in support of annotation processing
License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.htmlFile Path: D:\maven\repository\org\hibernate\common\hibernate-commons-annotations\4.0.4.Final\hibernate-commons-annotations-4.0.4.Final.jar
Description: The core O/RM functionality as provided by Hibernate
License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.htmlFile Path: D:\maven\repository\org\hibernate\hibernate-core\4.3.5.Final\hibernate-core-4.3.5.Final.jar
Description: Integration of Hibernate with Ehcache
File Path: D:\maven\repository\org\hibernate\hibernate-ehcache\3.6.0.Final\hibernate-ehcache-3.6.0.Final.jar
MD5: f5c75ee1f3859b09905398aabdc75fe9
SHA1: 95c3d794d0bdf39dfbe70a67863f9b204c9e0614
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Hibernate's Bean Validation (JSR-303) reference implementation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\hibernate\hibernate-validator\5.1.1.Final\hibernate-validator-5.1.1.Final.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
Vulnerable Software & Versions: (show all)
Description: Clean-room definition of JPA APIs intended for use in developing Hibernate JPA implementation. See README.md for details
License:
Eclipse Public License (EPL), Version 1.0: http://www.eclipse.org/legal/epl-v10.html Eclipse Distribution License (EDL), Version 1.0: http://www.eclipse.org/org/documents/edl-v10.phpFile Path: D:\maven\repository\org\hibernate\javax\persistence\hibernate-jpa-2.1-api\1.0.0.Final\hibernate-jpa-2.1-api-1.0.0.Final.jar
Description: Java API for handling configuration files in Windows .ini format. The library includes its own Map based API, Java Preferences API and Java Beans API for handling .ini files. Additionally, the library includes a feature rich (variable/macro substitution, multiply property values, etc) java.util.Properties replacement.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\ini4j\ini4j\0.5.2\ini4j-0.5.2.jar
File Path: D:\maven\repository\org\jasig\cas\client\cas-client-core\3.3.2\cas-client-core-3.3.2.jar
MD5: e8379957f4366aca2420003d2f29d84a
SHA1: 5f78c843136d73d816608c9c9b365fa2c0aa0316
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
simple. It is a class library for editing bytecodes in Java.
License:
MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html Apache License 2.0: http://www.apache.org/licenses/File Path: D:\maven\repository\org\javassist\javassist\3.20.0-GA\javassist-3.20.0-GA.jar
Description: JBehave Core contains all the core functionality for running BDD stories.
File Path: D:\maven\repository\org\jbehave\jbehave-core\3.9.3\jbehave-core-3.9.3.jar
MD5: c0a25086212ad8c4264919c7e6e14cc5
SHA1: 3ee85da44f2e3b2facbbc0f3dd39f88594bd34a8
Referenced In Project/Scope:
saiku biserver plugin:compile
License:
AL 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jboss\jandex\1.1.0.Final\jandex-1.1.0.Final.jar
File Path: D:\maven\repository\org\jboss\logging\jboss-logging-annotations\1.2.0.Beta1\jboss-logging-annotations-1.2.0.Beta1.jar
MD5: 938e552e319015a8863dd91284aada54
SHA1: 2f437f37bb265d9f8f1392823dbca12d2bec06d6
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: The JBoss Logging Framework
License:
Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jboss\logging\jboss-logging\3.1.3.GA\jboss-logging-3.1.3.GA.jar
Description: The Java Transaction 1.2 API classes
License:
Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txtFile Path: D:\maven\repository\org\jboss\spec\javax\transaction\jboss-transaction-api_1.2_spec\1.0.0.Final\jboss-transaction-api_1.2_spec-1.0.0.Final.jar
Description:
A complete, Java-based solution for accessing, manipulating,
and outputting XML data
License:
Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txtFile Path: D:\maven\repository\org\jdom\jdom2\2.0.5\jdom2-2.0.5.jar
Description:
JDOM is, quite simply, a Java representation of an XML document. JDOM provides a way to represent that document for
easy and efficient reading, manipulation, and writing. It has a straightforward API, is a lightweight and fast, and
is optimized for the Java programmer. It's an alternative to DOM and SAX, although it integrates well with both DOM
and SAX.
File Path: D:\maven\repository\org\jdom\jdom\1.1\jdom-1.1.jar
MD5: adf67fc5dcf48e1593640ad7e02f6ad4
SHA1: 1d04c0f321ea337f3661cf7ede8f4c6f653a8fdd
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: JempBox is an open source Java library that implements Adobe's XMP(TM) specification.
License:
BSD: http://www.jempbox.org/license.htmlFile Path: D:\maven\repository\org\jempbox\jempbox\0.2.0\jempbox-0.2.0.jar
Description: JRuby 1.7.4 OSGi bundle
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar
MD5: be7116ad25e9535a09bbd1a49934ab30
SHA1: 74984d84846523bd7da49064679ed1ccf199e1db
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\jni\i386-Windows\jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\jni\x86_64-Windows\jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\bin\jrubyw.exe
MD5: 7fac7402fa849bebb8ed0823f84c2177
SHA1: b752812d5570ac91fdfd85c548348d1ae1f6e1d4
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\1.9\json\ext\generator.jar
MD5: 071287692350840c3af274e0e3de1f6d
SHA1: dbf8269aaed5a870f6d4f52b210fa96f63c29d6c
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\1.9\json\ext\parser.jar
MD5: 60062e853bc5ed39d157b3754487ad78
SHA1: 9e20a79badf407b5a3aa18b58feccdfa5c0cc2af
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\bcpkix-jdk15on-147.jar
MD5: a4316d3710840f4b7152b7ac1c904679
SHA1: cd204e6f26d2bbf65ff3a30de8831d3a1344e851
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\bcprov-jdk15on-147.jar
MD5: 7749dd7eca4403fb968ddc484263736a
SHA1: b6f5d9926b0afbde9f4dbe3db88c5247be7794bb
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\jopenssl.jar
MD5: ac1f8fcfe232a0feb2da920d64400ec0
SHA1: a49ddf324632e55a3e70cc9951948d6b415a9a97
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-320 Key Management Errors
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-320 Key Management Errors
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.1
(AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.9
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:H/Au:N/C:N/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.2
(AV:L/AC:H/Au:N/C:P/I:N/A:N)
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Vulnerable Software & Versions: (show all)
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\kryptcore.jar
MD5: d824332166eee8cc7d51e37ce21007be
SHA1: 9cb457a24abcf6451fb23f2f70603e0ced3e5592
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\jruby.home\lib\ruby\shared\kryptproviderjdk.jar
MD5: 282a7d8c57b3ecf27278c9489f4be6d4
SHA1: 32b15c5bc9238035fc6e4f9cdeb1da48e7268cce
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\native\windows32\jansi.dll
MD5: 1f2e782f590fd99e3e8820565a5d5efb
SHA1: da125d2255050e13db6a84325e40f5c20eae81af
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF\native\windows64\jansi.dll
MD5: f4f883eaf7f7413a085d9868511af8a9
SHA1: 5da042be27f3b6f0a8e6cff07ad678c6975726a4
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
Provides a streaming API to access attachments parts in a MIME message.
License:
CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: D:\maven\repository\org\jvnet\mimepull\mimepull\1.9.4\mimepull-1.9.4.jar
Description: Mock objects library for java
License:
The MIT License: http://code.google.com/p/mockito/wiki/LicenseFile Path: D:\maven\repository\org\mockito\mockito-all\1.8.5\mockito-all-1.8.5.jar
Description: Servlet Specification 2.5 API
License:
CDDL 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: D:\maven\repository\org\mortbay\jetty\servlet-api-2.5\6.1.9\servlet-api-2.5-6.1.9.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Mort Bay Jetty 6.x and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
Vulnerable Software & Versions: (show all)
Description:
Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically
embedded into Java applications to provide scripting to end users.
License:
Mozilla Public License, Version 2.0: http://www.mozilla.org/MPL/2.0/index.txtFile Path: D:\maven\repository\org\mozilla\rhino\1.7R5\rhino-1.7R5.jar
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\netbeans\jmi\200507110943\jmi-200507110943.jar
MD5: b3121f6b2fdd0b111ce498d3fca22f52
SHA1: 97c79cca361f37521396472e30fd8f2145f2c6b7
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\netbeans\jmiutils\200507110943\jmiutils-200507110943.jar
MD5: ff499e340a13c7846e617565c6c4509f
SHA1: 27811ee82d19293e75b6c4b9c602ec2f8780eb83
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\netbeans\mdrapi\200507110943\mdrapi-200507110943.jar
MD5: 86c8d7cb19f9ce488654998ff3d44865
SHA1: d50b2ddba9d5f56412b0bfd85e2c9b8f4d84f9a0
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\netbeans\mof\200507110943\mof-200507110943.jar
MD5: e8015ee5be9e177e69d305a6007a653a
SHA1: 4e18215c086ccd6953a75ee7659329fdc5a5e1be
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\netbeans\nbmdr\200507110943-custom\nbmdr-200507110943-custom.jar
MD5: 204cc8956d8c719b4d3cf56cdd353122
SHA1: 6bf48285a1b73246eebd3ad82fc8d014901fba81
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\netbeans\openide-util\200507110943\openide-util-200507110943.jar
MD5: 287508797c7b43bacc07bfe972a557f5
SHA1: 93b7a9212e13f19ceb24c9b20845f8daea20d2d3
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: A library for instantiating Java objects
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\objenesis\objenesis\2.1\objenesis-2.1.jar
File Path: D:\maven\repository\org\olap4j\olap4j-xmla\TRUNK-SNAPSHOT\olap4j-xmla-TRUNK-SNAPSHOT.jar
MD5: b4040c5c434515b2178d453d697a1ece
SHA1: 177dbad7acdcdcfe842250c897612d5f37ad8d0a
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: XML for Analysis (XMLA) server based upon olap4j connections
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: D:\maven\repository\org\olap4j\olap4j-xmlaserver\1.2.0\olap4j-xmlaserver-1.2.0.jar
File Path: D:\maven\repository\org\olap4j\olap4j\TRUNK-SNAPSHOT\olap4j-TRUNK-SNAPSHOT.jar
MD5: ba362fac932ff2770f83025880e9c2f0
SHA1: a4eb92afde4af322120377a6c17da15893ea483e
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language
(SAML).
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\opensaml\opensaml\2.5.1-1\opensaml-2.5.1-1.jar
Description:
The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include
classes for creating and reading SOAP messages, transport-independent clients for connecting to web services,
and various transports for use with those clients.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\opensaml\openws\1.4.2-1\openws-1.4.2-1.jar
Description:
XMLTooling-J is a low-level library that may be used to construct libraries that allow developers to work with
XML in a Java beans manner.
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\opensaml\xmltooling\1.3.2-1\xmltooling-1.3.2-1.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
Vulnerable Software & Versions:
File Path: D:\maven\repository\org\ow2\asm\asm\5.0.3\asm-5.0.3.jar
MD5: ccebee99fb8cdd50e1967680a2eac0ba
SHA1: dcc2193db20e19e1feca8b1240dbbc4e190824fa
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
The OWASP Encoders package is a collection of high-performance low-overhead
contextual encoders, that when utilized correctly, is an effective tool in
preventing Web Application security vulnerabilities such as Cross-Site
Scripting.
File Path: D:\maven\repository\org\owasp\encoder\encoder\1.2\encoder-1.2.jar
MD5: 6224af43fac2a66741506df021ee7833
SHA1: 3725ab6ba4e15c574c013da7fa61b5c39ae6f9e1
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP website. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
License:
BSD: http://www.opensource.org/licenses/bsd-license.php Creative Commons 3.0 BY-SA: http://creativecommons.org/licenses/by-sa/3.0/File Path: D:\maven\repository\org\owasp\esapi\esapi\2.0GA\esapi-2.0GA.jar
Description: Artifactory auto generated POM
File Path: D:\maven\repository\org\pentaho\pentaho-vfs\1.0\pentaho-vfs-1.0.jar
MD5: 287ed0d3bd4b18d57cbb475560d31a33
SHA1: 1af11a853631dfefe0838ae1240637633d16eeb1
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: LibBase is a library developed to provide base services like
logging, configuration and initialization to all other libraries
and applications. The library is the root library for all other
Pentaho-Reporting projects.
License:
GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: D:\maven\repository\org\pentaho\reporting\library\libbase\7.1.0.0-12\libbase-7.1.0.0-12.jar
Description: LibFormula provides Excel-Style-Expressions. The implementation provided
here is very generic and can be used in any application that needs to
compute formulas.
License:
GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: D:\maven\repository\org\pentaho\reporting\library\libformula\7.1.0.0-12\libformula-7.1.0.0-12.jar
File Path: D:\maven\repository\org\quartz-scheduler\quartz\1.7.2\quartz-1.7.2.jar
MD5: c702f0825b40abffe6f5a6b6b29ceaa8
SHA1: b7d726d31f03108ffbc2a76ebb968dcb75b24c57
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Reflections - a Java runtime metadata analysis
File Path: D:\maven\repository\org\reflections\reflections\0.9.8\reflections-0.9.8.jar
MD5: 46192a2539fbe9e1fb69f8e5764e3aaa
SHA1: f723abb59bf512952bfc503838f70f81487a6993
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\saiku\saiku-query\0.4-SNAPSHOT\saiku-query-0.4-SNAPSHOT.jar
MD5: f90c0ec1d10509ac9513e1058b7f4885
SHA1: 5a820cf7bfa63b244da3b3becde251373acce33e
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java
License:
GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txtFile Path: D:\maven\repository\org\samba\jcifs\jcifs\1.3.3\jcifs-1.3.3.jar
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-275 Permission Issues
A flaw was found in the way an LDAP search expression could crash the shared LDAP server process of a samba AD DC in samba before version 4.10. An authenticated user, having read permissions on the LDAP server, could use this flaw to cause denial of service.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of service vulnerability (fd_open_atomic infinite loop with high CPU usage and memory consumption) due to wrongly handling dangling symlinks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.8
(AV:A/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-200 Information Exposure
An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-254 Security Features
It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1 and possibly other products, does not properly enforce CIFS share attributes, which allows remote authenticated users to (1) write to a read-only share; (2) trigger data-integrity problems related to the oplock, locking, coherency, or leases attribute; or (3) have an unspecified impact by leveraging incorrect handling of the browseable or "hide unreadable" parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-189 Numeric Errors
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.2
(AV:L/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs in Samba 3.5.10 and earlier does not properly verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0547.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability on HP NonStop Servers with software H06.x through H06.23.00 and J06.x through J06.12.00, when Samba is used, allows remote authenticated users to execute arbitrary code via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.3
(AV:L/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to append to the /etc/mtab file and (2) umount.cifs to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to trigger an out-of-bounds read, and cause a denial of service (process crash), via a \xff\xff security blob length in a Session Setup AndX request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) via a Negotiate Protocol request with a certain 0x0003 field value followed by a Session Setup AndX request with a certain 0x8003 field value.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-16 Configuration
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and earlier allows remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2003-0201.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Samba before 2.2.5 does not properly terminate the enum_csc_policy data structure, which may allow remote attackers to execute arbitrary code via a buffer overflow attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:P/A:N)
Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.
Vulnerable Software & Versions:
File Path: D:\maven\repository\org\scannotation\scannotation\1.0.2\scannotation-1.0.2.jar
MD5: 4c832a91b82d9a30ad22d6c4b98f9fc7
SHA1: 00d0b600c3719ca990c5c84acb33a65f20c57064
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Browser automation framework dependency on jetty
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\seleniumhq\selenium\jetty-rc-repacked\5\jetty-rc-repacked-5.jar
File Path: D:\maven\repository\org\seleniumhq\selenium\jetty-repacked\7.6.1\jetty-repacked-7.6.1.jar
MD5: 347692e3881d4c5fd09a6b35a307ad58
SHA1: 3937008b2f7c124f52f7734eba4f6efc148799c6
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-api\2.46.0\selenium-api-2.46.0.jar
MD5: 2432c8c1e0936235edace46d62f0947e
SHA1: 7c0cbf344f94b821954b0fb2a11fc3f0852d4195
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-chrome-driver\2.46.0\selenium-chrome-driver-2.46.0.jar
MD5: 4e4d30e1baef8b867ba4f91324fe3c16
SHA1: 2bb778d663e16595be78879a212c29b4c4914595
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-310 Cryptographic Issues
selenium-chromedriver is a simple utility for downloading the Selenium Webdriver for Google Chrome selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Vulnerable Software & Versions:
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-firefox-driver\2.46.0\selenium-firefox-driver-2.46.0.jar
MD5: 20a8317c1cab6d7bdd36f1d51eeec791
SHA1: 0af50b36b2fd40125d1f282dedb926892b68d432
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-htmlunit-driver\2.46.0\selenium-htmlunit-driver-2.46.0.jar
MD5: 48a19caed5b6c80930af6101c8fb90da
SHA1: 8195bfe5ce96fa26661965a1ed7532413f56d99f
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-ie-driver\2.46.0\selenium-ie-driver-2.46.0.jar
MD5: 4f7186d133c97c91dc14afd129e81758
SHA1: 6562c1dc60a49dfe742e14fecc61042475433994
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-java\2.46.0\selenium-java-2.46.0.jar
MD5: 5b626c8e23978114ab3aa853980b60c9
SHA1: 65e7f54757499d6b50fe722a7278af52a96baf98
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-leg-rc\2.46.0\selenium-leg-rc-2.46.0.jar
MD5: 4a2f7e2633956549a4ab5636ff2aa4a9
SHA1: 3a4075f1e826de2165568bb60d44808b92e45639
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-remote-driver\2.46.0\selenium-remote-driver-2.46.0.jar
MD5: 7076a0d3e39531c6ebe8c880570412ed
SHA1: 729394bd92eca8a3749fc8ace1b3304c8ed0ae07
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-safari-driver\2.46.0\selenium-safari-driver-2.46.0.jar
MD5: ee0aa4693cffbc911630b87c36215686
SHA1: db77237dc6a400709d2e3edeef7448554f39969c
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-server\2.46.0\selenium-server-2.46.0.jar
MD5: 8a846a0e5ce1414305781e3d4fbd49f4
SHA1: 9728558d5889b9bbdd8dc9a27a3103e420438e2f
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-server\2.46.0\selenium-server-2.46.0.jar\customProfileDirCUSTFF\extensions\readystate@openqa.org\chrome\readystate.jar
MD5: 0bcafd7a486e7b6fc723da851db19a7b
SHA1: 63a6bdeee413d62ad8db3473797475243e99ec8e
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-server\2.46.0\selenium-server-2.46.0.jar\hudsuckr\hudsuckr.exe
MD5: 2a9cca56785eab06a70e5d35523bcec9
SHA1: 89c44639f3bd4b4c7ee05286bb1748c9ae68eab1
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\org\seleniumhq\selenium\selenium-support\2.46.0\selenium-support-2.46.0.jar
MD5: 6b3d973a87cb820e675635316c7f1ff8
SHA1: fa26d31b92a30b40d9622964b587ee0f6e254357
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: JCL 1.1.1 implemented over SLF4J
File Path: D:\maven\repository\org\slf4j\jcl-over-slf4j\1.7.7\jcl-over-slf4j-1.7.7.jar
MD5: 32ad130f946ef0460af416397b7fc7b7
SHA1: 56003dcd0a31deea6391b9e2ef2f2dc90b205a92
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
JUL to SLF4J bridge
File Path: D:\maven\repository\org\slf4j\jul-to-slf4j\1.6.1\jul-to-slf4j-1.6.1.jar
MD5: b0707d398e9ad652c4d4f5d6ec51ebff
SHA1: c5300fc91f48697ae3f0d8ec8eac7a43a9dd03f7
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: The slf4j API
File Path: D:\maven\repository\org\slf4j\slf4j-api\1.6.4\slf4j-api-1.6.4.jar
MD5: 75e1a2a3b84c59bf9d4f42de57a533b1
SHA1: 2396d74b12b905f780ed7966738bb78438e8371a
Referenced In Project/Scope:
saiku biserver plugin:compile
Description:
The slf4j log4j-12 binding
File Path: D:\maven\repository\org\slf4j\slf4j-log4j12\1.6.4\slf4j-log4j12-1.6.4.jar
MD5: 4ea379002969e41feab169d33815ed45
SHA1: 6b4973e0320e220ec6534478d60233fd1cc51c9b
Referenced In Project/Scope:
saiku biserver plugin:compile
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: D:\maven\repository\org\springframework\se-jcr\0.9\se-jcr-0.9.jar
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Description: spring-security-cas
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\security\spring-security-cas\4.0.1.RELEASE\spring-security-cas-4.0.1.RELEASE.jar
Description: spring-security-config
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\security\spring-security-config\4.0.1.RELEASE\spring-security-config-4.0.1.RELEASE.jar
Description: spring-security-core
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\security\spring-security-core\4.1.3.RELEASE\spring-security-core-4.1.3.RELEASE.jar
Description: spring-security-web
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\security\spring-security-web\4.0.1.RELEASE\spring-security-web-4.0.1.RELEASE.jar
Description: Spring Context Support
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\spring-context-support\4.1.6.RELEASE\spring-context-support-4.1.6.RELEASE.jar
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Vulnerable Software & Versions: (show all)
Description: Spring Core
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\spring-core\4.1.6.RELEASE\spring-core-4.1.6.RELEASE.jar
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Vulnerable Software & Versions: (show all)
Description: Spring Expression Language (SpEL)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\spring-expression\4.3.2.RELEASE\spring-expression-4.3.2.RELEASE.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 Security Features
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Description: Spring Binding
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\springframework\webflow\spring-binding\2.4.4.RELEASE\spring-binding-2.4.4.RELEASE.jar
Description: SAC is a standard interface for CSS parsers.
License:
The W3C Software License: http://www.w3.org/Consortium/Legal/copyright-software-19980720File Path: D:\maven\repository\org\w3c\css\sac\1.3\sac-1.3.jar
Description: A Java event based WebSocket and HTTP server
License:
BSD License: http://www.opensource.org/licenses/bsd-licenseFile Path: D:\maven\repository\org\webbitserver\webbit\0.4.14\webbit-0.4.14.jar
Description: YAML 1.1 parser and emitter for Java
License:
Apache License Version 2.0: LICENSE.txtFile Path: D:\maven\repository\org\yaml\snakeyaml\1.7\snakeyaml-1.7.jar
File Path: D:\maven\repository\oro\oro\2.0.8\oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho-kettle\kettle-core\7.1.0.0-12\kettle-core-7.1.0.0-12.jar
MD5: befbe21a1fe7b5b9f0c75222776df05f
SHA1: cfe3ae6991fe2ae128f01fd710011317a03602ec
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho-kettle\kettle-engine\7.1.0.0-12\kettle-engine-7.1.0.0-12.jar
MD5: 4988b0777d192760f3ea637ebc35e126
SHA1: 993d370216eef32cee173c207d058c292f498c9b
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\cpf-core\7.1.0.0-12\cpf-core-7.1.0.0-12.jar
MD5: 4e316442c0351677118205bd6731f650
SHA1: ac812467a493c3dd7f763aec21be5d6a70349a25
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\cpf-pentaho\7.1.0.0-12\cpf-pentaho-7.1.0.0-12.jar
MD5: 9c8761d81054252af371d9e96d680241
SHA1: 08927cb700b13817539d9216416d6050ba22c46d
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: A flexible metadata, data and configuration information store
File Path: D:\maven\repository\pentaho\metastore\7.1.0.0-12\metastore-7.1.0.0-12.jar
MD5: 67a29c3ea572e82030944bdf03461436
SHA1: 830286cbb6c9db6a7a33f4cee1db3f7c22036287
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\mondrian\3.11.0.0-353\mondrian-3.11.0.0-353.jar
MD5: 12216830c8d9c5f00dac758259d90c07
SHA1: cff98794c5b9defca01e5c6585a2d48da9491a12
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Pentaho variant of concurrent-1.3.4.jar
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\pentaho\pentaho-concurrent\1.0.0\pentaho-concurrent-1.0.0.jar
Description: The Pentaho Connections API defines a common set of interfaces for dealing with connections and result sets.
File Path: D:\maven\repository\pentaho\pentaho-connections\7.1.0.0-12\pentaho-connections-7.1.0.0-12.jar
MD5: 2cd59910c0a759aa53aa8384ead00422
SHA1: 7fba3a3c22a00b89d8e9d3f26b351d5843f65dae
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\pentaho-cwm\1.5.4\pentaho-cwm-1.5.4.jar
MD5: 6a30717982c9784a9594ba5b94ef7ddc
SHA1: 2ff291bf32d447e9e033d293a3db9dc54292f71b
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Pentaho Metadata Core
File Path: D:\maven\repository\pentaho\pentaho-metadata\7.1.0.0-12\pentaho-metadata-7.1.0.0-12.jar
MD5: db664b2cb6b2524099d0f2a8bfb4a9a1
SHA1: 000734c7e9e4fdfbdc72153ce18a6b98fb310ca9
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\pentaho-platform-api\5.0.0\pentaho-platform-api-5.0.0.jar
MD5: 3979e511c98661f320440e03786c9b10
SHA1: d17317bed1fa6ffe9f8d256d431be09c40676544
Referenced In Project/Scope:
saiku biserver plugin:provided
File Path: D:\maven\repository\pentaho\pentaho-platform-core\5.0.0\pentaho-platform-core-5.0.0.jar
MD5: f0f14ff03d6a0ac57a2d006997e800bf
SHA1: 204ecbee356ceb577986625f65cf1abac60287f2
Referenced In Project/Scope:
saiku biserver plugin:provided
File Path: D:\maven\repository\pentaho\pentaho-platform-extensions\5.0.0\pentaho-platform-extensions-5.0.0.jar
MD5: ed8e2f33574c4d7f9cc010ec5bfaac1c
SHA1: 9b895104b995e986685e94900f1cecbcdcca20ab
Referenced In Project/Scope:
saiku biserver plugin:provided
File Path: D:\maven\repository\pentaho\pentaho-platform-repository\7.1.0.0-12\pentaho-platform-repository-7.1.0.0-12.jar
MD5: c1fcaee8ce8560476b721c178c134575
SHA1: 8cc080016101545af29cb7c872b6fa3d7ceb700d
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\pentaho-registry\7.1.0.0-12\pentaho-registry-7.1.0.0-12.jar
MD5: e4ca1d56994b75eefab866d6df37a15a
SHA1: 774584ebd0fa00c8651f089e54fcf8fb448b2efb
Referenced In Project/Scope:
saiku biserver plugin:compile
File Path: D:\maven\repository\pentaho\simple-jndi\1.0.0\simple-jndi-1.0.0.jar
MD5: c4801c690ee5ac953ddb84141e91e037
SHA1: 0975a7cf3eddbd8cbd2ad004d55b31f27e7dea53
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: Auto generated POM
File Path: D:\maven\repository\secondstring\secondstring\20060615\secondstring-20060615.jar
MD5: f3295a8389944ae33156904781ed7742
SHA1: c4724ed5bfbd19a28675c96274b81c9d34a0cd01
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: StAX API is the standard java XML processing API defined by JSR-173
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\stax\stax-api\1.0.1\stax-api-1.0.1.jar
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
Vulnerable Software & Versions:
Description: Apache Velocity is a general purpose template engine.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\velocity\velocity\1.5\velocity-1.5.jar
Description: Java stub generator for WSDL
License:
CPL: http://www.opensource.org/licenses/cpl1.0.txtFile Path: D:\maven\repository\wsdl4j\wsdl4j\1.6.2\wsdl4j-1.6.2.jar
File Path: D:\maven\repository\xalan\xalan\2.7.0\xalan-2.7.0.jar
MD5: a018d032c21a873225e702b36b171a10
SHA1: a33c0097f1c70b20fa7ded220ea317eb3500515e
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Vulnerable Software & Versions: (show all)
Description: Xerces2 is the next generation of high performance, fully
compliant XML parsers in the Apache Xerces family. This new
version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and
configurations that is extremely modular and easy to program.
File Path: D:\maven\repository\xerces\xercesImpl\2.8.1\xercesImpl-2.8.1.jar
MD5: e86f321c8191b37bd720ff5679f57288
SHA1: 25101e37ec0c907db6f0612cbf106ee519c1aef1
Referenced In Project/Scope:
saiku biserver plugin:compile
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Vulnerable Software & Versions:
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
File Path: D:\maven\repository\xml-apis\xml-apis-ext\1.3.04\xml-apis-ext-1.3.04.jar
MD5: bcb07d3b8d2397db7a3013b6465d347b
SHA1: 41a8b86b358e87f3f13cf46069721719105aff66
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
File Path: D:\maven\repository\xml-apis\xml-apis\1.3.04\xml-apis-1.3.04.jar
MD5: 9ae9c29e4497fc35a3eade1e6dd0bbeb
SHA1: 90b215f48fe42776c8c7f6e3509ec54e84fd65ef
Referenced In Project/Scope:
saiku biserver plugin:compile
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier.
File Path: D:\maven\repository\xml-resolver\xml-resolver\1.2\xml-resolver-1.2.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
Referenced In Project/Scope:
saiku biserver plugin:runtime
License:
Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txtFile Path: D:\maven\repository\xmlpull\xmlpull\1.1.3.1\xmlpull-1.1.3.1.jar
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: D:\maven\repository\xpp3\xpp3_min\1.1.4c\xpp3_min-1.1.4c.jar
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-api/pom.xml
MD5: 909b59fe332febfb92157e47e6019a32
SHA1: e663b56d78c448d4c6f7c3cc5dcdd0c14329c2c9
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-common/pom.xml
MD5: 2c7b0ba9e511473325120b3c7aab57b8
SHA1: 8795fa2e4cba11160230cf8ebf6ffd3bc4ac5926
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-core/pom.xml
MD5: 12a3ec117714215973df9b698167005f
SHA1: 165c74e256df1afd64fcaf23039fc867a693ac9e
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-decoder-api/pom.xml
MD5: 9ab0b566384b8944687c381180847cef
SHA1: 89808e91fac25af7b701862ef6c8b7f85716e89a
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-decoder-v2/pom.xml
MD5: d59a2d890e1744cd305062006853c5e7
SHA1: f5e4fcd405f6ebc99985c230f0445affc30e44e7
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras-legacy/pom.xml
MD5: b3be26a03cca9828d36a78ac82ab329f
SHA1: 6f71a5682cb310356e34ac04d4e921b0223effa8
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.atlassian.extras/atlassian-extras/pom.xml
MD5: 140497faeb4cb9926dd16b52ddc6697a
SHA1: 4c95207ae79b96f6aefd86df93fd26dfb2aece22
Description:
The codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/commons-codec/commons-codec/pom.xml
MD5: 1c2024aae272aaf64f445522865808a5
SHA1: c74b24443fcf3d118722d9fca0a4f7b14145b4e7
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/commons-lang/commons-lang/pom.xml
MD5: cca9ee287cb26a44a2f65450a24957cd
SHA1: 347d60b180fa80e5699d8e2cb72c99c93dda5454
Description: Google Gson library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\com\cenqua\clover\clover\3.3.0\clover-3.3.0.jar\META-INF/maven/com.google.code.gson/gson/pom.xml
Description: Core Hazelcast Module
File Path: D:\maven\repository\com\hazelcast\hazelcast\3.6.2\hazelcast-3.6.2.jar\META-INF/maven/com.hazelcast/hazelcast/pom.xml
MD5: 4c39b5675e6563ef2e20e0668e0a7cd1
SHA1: 023f0921397d3d605b642f9871726629035fe85c
Description: A Minimal JSON Parser and Writer
License:
MIT License: http://opensource.org/licenses/MITFile Path: D:\maven\repository\com\hazelcast\hazelcast\3.6.2\hazelcast-3.6.2.jar\META-INF/maven/com.eclipsesource.minimal-json/minimal-json/pom.xml
Description: Core Hazelcast Module
File Path: D:\maven\repository\com\hazelcast\hazelcast\3.6.2\hazelcast-3.6.2.jar\META-INF/maven/com.hazelcast/hazelcast-client-protocol/pom.xml
MD5: ee1187da92ecffea32ed700cd941bd46
SHA1: 445b33f73f70aa2004e8c6b19139cf1aa9459029
License:
BSD License: http://xstream.codehaus.org/license.html The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0File Path: D:\maven\repository\info\cukes\cucumber-jvm-deps\1.0.3\cucumber-jvm-deps-1.0.3.jar\META-INF/maven/info.cukes/cucumber-jvm-deps/pom.xml
File Path: D:\maven\repository\info\cukes\cucumber-jvm-deps\1.0.3\cucumber-jvm-deps-1.0.3.jar\META-INF/maven/com.thoughtworks.xstream/xstream/pom.xml
MD5: 14020aa66919970ee853c7ad6f175070
SHA1: b8c57a02d6c67065a4e87fccf27cff6a76f045fe
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Vulnerable Software & Versions:
Description: The DiffUtils library for computing diffs, applying patches, generationg side-by-side view in Java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\info\cukes\cucumber-jvm-deps\1.0.3\cucumber-jvm-deps-1.0.3.jar\META-INF/maven/com.googlecode.java-diff-utils/diffutils/pom.xml
Description: Complete distribution for ANTLR 3
File Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/antlr-complete/pom.xml
MD5: 8ea79fe16a50c9eacc0be0616db261a8
SHA1: 28061dd7bc78afdf2b48cb11054c936e7f886abf
Description: The ANTLR 3 tool.
File Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/antlr/pom.xml
MD5: a5b639e28f29413c658a60b12f6e48fd
SHA1: d6830744a9a30a9c0afebfb84a5fdd6cc7e9d4ab
Description: StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.htmlFile Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/ST4/pom.xml
Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/antlr-runtime/pom.xml
MD5: b9bf8a27cb01fac6a32d6aa68b59f5bf
SHA1: af8ae5172f0c499d932d465673c9833c8777c1dd
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-369 Divide By Zero
** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions."
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features
base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Vulnerable Software & Versions:
Description: gUnit grammar testing tool for ANTLR 3
File Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/gunit/pom.xml
MD5: 51086b27f900a7dedbcd411b0ce9e8a8
SHA1: 6cd767fa480e067b371539de92cf126a773486b2
Description: StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.htmlFile Path: D:\maven\repository\org\antlr\antlr-complete\3.5.2\antlr-complete-3.5.2.jar\META-INF/maven/org.antlr/stringtemplate/pom.xml
Description:
This module contains the compilation of all public Metro APIs.
File Path: D:\maven\repository\org\glassfish\metro\webservices-api\2.1\webservices-api-2.1.jar\META-INF/maven/org.glassfish.metro/webservices-api/pom.xml
MD5: 0f6a6948b4206e78ea4435b28b557baa
SHA1: fc636d3b9a1264bd6f6d5061230ca595bf351bc2
File Path: D:\maven\repository\org\glassfish\metro\webservices-api\2.1\webservices-api-2.1.jar\META-INF/maven/javax.xml.soap/saaj-api/pom.xml
MD5: 80f55c1b9ee67ee546b3de81e35a75d6
SHA1: ced85ef7cc403a0da309b3761a2ff168f361d5a6
Description: Common Annotations for the JavaTM Platform API version ${spec.version} Repackaged as OSGi bundle in GlassFish
File Path: D:\maven\repository\org\glassfish\metro\webservices-api\2.1\webservices-api-2.1.jar\META-INF/maven/org.glassfish/javax.annotation/pom.xml
MD5: b7778b465e6d0513e8454058e94a214a
SHA1: e498c8940676f6e24124cab7ad20d1aec9011039
Description:
This module contains the Metro runtime code.
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/webservices-rt/pom.xml
MD5: 48b709f875f6aaa572fbd7b4ec357361
SHA1: 9b8123484564085473fabf505191ddf597e1cafd
Description:
This module contains the Metro WSIT API
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/wsit-api/pom.xml
MD5: 64625ea4e3e7e0bc7a705c2f442e2441
SHA1: 19b59e7aff902507bf70d20914ccd1221ffec6ab
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-commons/pom.xml
MD5: e561d94d5786a0cb81e834d29ab9347b
SHA1: 434fb5653b21b2fcba3bccf41718d388067199f0
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-config-api/pom.xml
MD5: 52c4ee70b52cdff4809b6eab9f185f10
SHA1: 96f026ef4b768e8f96aaf841631eaddb8e1e276a
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-runtime-api/pom.xml
MD5: 545dad68dbf013587a8b5010e403b825
SHA1: 66db34ee1a2c1d83a00c31db5aadc988fbdf2bdb
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/soaptcp-api/pom.xml
MD5: 7ccc81e593993d53a545d07092a3bc34
SHA1: a875fb0b44fd3486e7dc98aaee21b74f1e6225bc
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-cm-api/pom.xml
MD5: 2db94a0b0b1ef3ce59cce59ac653b16e
SHA1: 7ad9e8d2a66f9e9b4dd85d466501a54cb30567a5
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-190 Integer Overflow or Wraparound
The mintToken function of a smart contract implementation for CM, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
Vulnerable Software & Versions:
Description:
Open source Reference Implementation of JSR-76: SOAP with Attachments API for Java (SAAJ MR :1.3)
License:
Dual license consisting of the CDDL v1.1 and GPL v2
: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/com.sun.xml.messaging.saaj/saaj-impl/pom.xmlDescription:
Provides a streaming API to access attachments parts in a MIME message.
License:
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0
: http://www.opensource.org/licenses/cddl1.php
GPLv2 with classpath exception
: http://www.gnu.org/software/classpath/license.html
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.jvnet/mimepull/pom.xmlDescription: Extensions to JSR-173 StAX API.
License:
Common Development And Distribution License (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.htmlFile Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.jvnet.staxex/stax-ex/pom.xml
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
Vulnerable Software & Versions:
License:
Dual License: CDDL 1.0 and GPL V2 with Classpath Exception: https://glassfish.dev.java.net/public/CDDL+GPL.htmlFile Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/com.sun.xml.ws/policy/pom.xml
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.ha/ha-api/pom.xml
MD5: 6808e2354cd90c98c90552b750147d9a
SHA1: 0afda50d3020ef8e6a1255eca97878c35c5fdd74
Description:
This module contains the Metro WSIT runtime code.
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/wsit-impl/pom.xml
MD5: 8a3909f4747da1960bde5684ad152c6d
SHA1: 1576a74fad6f856b3cfc5028914ff8bf6210d200
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-config-impl/pom.xml
MD5: 8b50b99f872d3125909e01b8a8a36592
SHA1: 7e9dbb213fc9d2ec1a094c8676b8d339335e061c
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/metro-runtime-impl/pom.xml
MD5: c9a6ef830eb34549bc71267c5b289dea
SHA1: 91663542d9ba7c44a4f142f39352df0020d09d9a
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/soaptcp-impl/pom.xml
MD5: 145cf33c4ee73031c3277c2dfad6223c
SHA1: 55fd18f660d98d6e838f94e54e2ceef161cb3d3e
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/xmlfilter/pom.xml
MD5: 34682a68f3bbc0fa7f8786a2f3a529a2
SHA1: b2cdf1be489bec62cac83092c8540e9ee5eac1fc
File Path: D:\maven\repository\org\glassfish\metro\webservices-rt\2.1\webservices-rt-2.1.jar\META-INF/maven/org.glassfish.metro/ws-mex/pom.xml
MD5: 737cd94df587558188d16dfe1ba96398
SHA1: 3a49f1b5f6f1c95d48a8816787a50d735ad48bee
Description: Java Foreign Function Interface
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jffi/pom.xml
Description: A set of platform constants (e.g. errno values)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-constants/pom.xml
Description: Native I/O access for java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-enxio/pom.xml
Description: A library for invoking native functions from java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-ffi/pom.xml
Description: Lookup TCP and UDP services from java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-netdb/pom.xml
Description:
Common cross-project/cross-platform POSIX APIs
License:
Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.htmlFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-posix/pom.xml
Description: Native I/O access for java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-unixsocket/pom.xml
Description: A pure-java X86 and X86_64 assembler
License:
MIT License: http://www.opensource.org/licenses/mit-license.phpFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.github.jnr/jnr-x86asm/pom.xml
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.headius/invokebinder/pom.xml
Description: JZlib is a re-implementation of zlib in pure Java
License:
Revised BSD: http://www.jcraft.com/jzlib/LICENSE.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/com.jcraft/jzlib/pom.xml
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/jline/jline/pom.xml
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/joda-time/joda-time/pom.xml
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.
Vulnerable Software & Versions:
Description:
Java port of Oniguruma: http://www.geocities.jp/kosako3/oniguruma
that uses byte arrays directly instead of java Strings and chars
License:
MIT License: http://www.opensource.org/licenses/mit-license.phpFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/org.jruby.joni/joni/pom.xml
Description: YAML 1.1 parser and emitter for Java
License:
Apache License Version 2.0: LICENSE.txtFile Path: D:\maven\repository\org\jruby\jruby-complete\1.7.4\jruby-complete-1.7.4.jar\META-INF/maven/org.yaml/snakeyaml/pom.xml
File Path: D:\maven\repository\org\seleniumhq\selenium\jetty-repacked\7.6.1\jetty-repacked-7.6.1.jar\META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: 8f1fca3b19f808084a0ec368324b3ed0
SHA1: 67dcf9233a473d872a3a48c3800781c0603df1d2
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Handling
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Vulnerable Software & Versions: (show all)
File Path: D:\maven\repository\org\seleniumhq\selenium\jetty-repacked\7.6.1\jetty-repacked-7.6.1.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 001a7f511ffb16873ea05be06bfcb1d9
SHA1: f3d8b5aa622cc3b68975088e33074b1dc4dd892f